Listen to this Post
Vulnerability: Out-of-bounds read
CVE: RUSTSEC‑2026‑0117 (Moderate)
How the vulnerability works
The `imageproc` crate performs a bounds check on floating‑point coordinates before casting them to integer indices used in unchecked memory accesses. The check does not correctly handle `NaN` (Not a Number) values.
Under normal circumstances, a coordinate that lies outside the image’s dimensions would cause the check to fail and prevent unsafe access. However, when the coordinate is NaN, the comparison unexpectedly succeeds, bypassing the bounds validation.
The caller controls the floating‑point coordinates via a projection matrix passed to geometric transformation functions such as `warp_into` and warp_into_with.
By carefully crafting a matrix that yields `NaN` coordinates, an attacker can make the library believe the coordinates are within bounds.
When the Bilinear sampling method is used, the faulty check allows arbitrary reads within the first 32 bits of the process address space. This can be achieved by using an image with no pixel data but a single non‑zero dimension.
With Bicubic sampling, the out‑of‑bounds read is limited to a few bytes beyond the allocated memory region.
Other interpolation methods may permit additional out‑of‑bound reads.
The vulnerability affects all `imageproc` versions before 0.23.1, exactly 0.24.0 and 0.25.0, and versions from 0.26.0 up to (but not including) 0.26.2.
Patches are available in 0.23.1, 0.24.1, 0.25.1, and 0.26.2.
DailyCVE form
Platform: imageproc Rust crate
Version: 0.23.0-0.26.1
Vulnerability: Out-of-bounds read
Severity: Moderate
Date: May 7 2026
Prediction: Patched May 7
What Undercode Say: Analytics
Check your `imageproc` version with Cargo:
cargo tree | grep imageproc
Quick patch command for a Rust project:
cargo update -p imageproc --precise 0.26.2
Example of the vulnerable code pattern (simplified):
// imageproc::geometric_transformations::warp_into
let x_f = projection src.x;
let y_f = projection src.y;
if x_f >= 0.0 && x_f < width as f32 &&
y_f >= 0.0 && y_f < height as f32 {
// Bounds check incorrectly passes for NaN
let idx = (y_f as usize) stride + (x_f as usize);
unsafe { src.pixels.get_unchecked(idx) }
}
Exploit
- Control the projection matrix – Pass a matrix that produces `NaN` coordinates for the warp operation.
- Use a zero‑data image – Create an image with no pixel data and exactly one non‑zero dimension (e.g., width=1, height=0).
- Invoke `warp_into` with Bilinear interpolation – The bounds check succeeds for
NaN, leading to `get_unchecked` reading arbitrary memory within the first 32‑bit address space. - For Bicubic sampling – The read is limited to a few bytes beyond the allocation, but still enough to leak sensitive data.
Protection from this CVE
- Upgrade to 0.23.1, 0.24.1, 0.25.1, or 0.26.2 immediately.
- If you cannot upgrade, avoid using untrusted projection matrices in geometric transformations.
- Validate all floating‑point inputs in your own code before passing them to
imageproc. - Use memory‑safe alternatives or enable address sanitizer (
-Z sanitizer=address) during testing.
Impact
- Confidentiality – Arbitrary read from process memory can leak secrets, cryptographic keys, or user data.
- Integrity – While this is a read‑only primitive, the leaked information may be used to craft further attacks.
- Availability – Out‑of‑bounds reads may cause panics or application crashes.
- CVSS 3.x Score – Medium (5.3) – AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (estimated).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
