—

RUSTSEC-2026-0184

Potential undefined behavior with Signature from a buffer-created BlameHunk

Details

When a `Blame` is created via `Blame::blame_buffer()`, and a `BlameHunk` is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding `BlameHunk` methods then create `Signature`s based on null pointers; attempting to access the data of the `Signature`s leads to dereferencing null pointers.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / git2

Introduced in: 0.0.0-0 Fixed in: 0.21.0

Upgrade git2 to 0.21.0 or newer (ecosystem crates.io).

References

https://crates.io/crates/git2 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0184.html [ADVISORY]
https://github.com/rust-lang/git2-rs/pull/1254 [WEB]