VDB
KO

RUSTSEC-2026-0202

`let_cxx_string!` uses uninitialized value due to exception safety violations

Details

In affected versions of this crate, `let_cxx_string!` is not exception safe. After creating the `StackString`, if `match $value` panics, the content of `StackString` is not yet initialized, while the drop implementation of `StackString` unconditionally deinitializes the content, leading to use of uninitialized value.

The soundness issue was fixed in version `1.0.195` by moving drop logics to separate drop guard after initializing the `StackString`.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / cxx
Introduced in: 0.0.0-0 Fixed in: 1.0.195

Upgrade cxx to 1.0.195 or newer (ecosystem crates.io).

References