RUSTSEC-2026-0197
`Matrix{2,3,4}::swap_columns` can trigger undefined behavior for identical indices
Details
The `Matrix2::swap_columns`, `Matrix3::swap_columns`, and `Matrix4::swap_columns` implementations call `ptr::swap(&mut self[a], &mut self[b])`.
When `a == b`, these safe APIs create two mutable references to the same matrix column and pass them to `ptr::swap`. This violates Rust's aliasing rules and can trigger undefined behavior. The issue can be reproduced from safe Rust by calling `swap_columns` with identical column indices, for example `m.swap_columns(0, 0)`.
A minimal fix is to return early when the two column indices are equal before calling `ptr::swap`.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.0.0-0 No fixed version published yet for cgmath. Pin to a known-safe version or switch to an alternative.
References
- https://crates.io/crates/cgmath [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2026-0197.html [ADVISORY]
- https://github.com/rustgd/cgmath/issues/565 [REPORT]