—
RUSTSEC-2026-0202
`let_cxx_string!` uses uninitialized value due to exception safety violations
Details
In affected versions of this crate, `let_cxx_string!` is not exception safe. After creating the `StackString`, if `match $value` panics, the content of `StackString` is not yet initialized, while the drop implementation of `StackString` unconditionally deinitializes the content, leading to use of uninitialized value.
The soundness issue was fixed in version `1.0.195` by moving drop logics to separate drop guard after initializing the `StackString`.
Are you affected?
Enter the version of the package you're using.
Affected packages
crates.io / cxx
Introduced in:
0.0.0-0 Fixed in: 1.0.195 Upgrade cxx to 1.0.195 or newer (ecosystem crates.io).
References
- https://crates.io/crates/cxx [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2026-0202.html [ADVISORY]
- https://github.com/dtolnay/cxx/issues/1729 [REPORT]