Skip to content

fix(deps): Bump memmap2 to 0.9.11 for RUSTSEC-2026-0186#341

Open
unclesp1d3r wants to merge 6 commits into
mainfrom
fix/rustsec-2026-0186-memmap2
Open

fix(deps): Bump memmap2 to 0.9.11 for RUSTSEC-2026-0186#341
unclesp1d3r wants to merge 6 commits into
mainfrom
fix/rustsec-2026-0186-memmap2

Conversation

@unclesp1d3r

Copy link
Copy Markdown
Member

Summary

Bumps memmap2 from 0.9.10 to 0.9.11 to resolve RUSTSEC-2026-0186 (unsound), which is currently failing the daily Security workflow's cargo audit job on main.

The advisory: affected versions of memmap2 did not validate the offset/len parameters of the advise_range / flush[_async]_range family, allowing an out-of-bounds range to reach pointer::offset()/pointer::add() and the madvise/msync syscalls (UB). Fixed upstream in 0.9.11.

  • Manifest pin updated: memmap2 = "0.9.10" -> "0.9.11"
  • Cargo.lock updated via cargo update -p memmap2

Verification

  • cargo audit -> exit 0 (advisory cleared)
  • cargo fmt --check -> pass
  • cargo clippy --all-targets --all-features -- -D warnings -> pass
  • cargo test --all-features -> all suites pass (1202 lib + integration)

Closes #340

Test plan

  • cargo audit clean
  • clippy/fmt/test green locally
  • CI green (incl. Security audit job)

memmap2 0.9.10 has an unsound unchecked-pointer-offset flaw in the
advise_range / flush_range family (out-of-bounds offset/len passed to
pointer::offset/add and on to madvise/msync). Patched in 0.9.11.

Closes #340

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
@dosubot dosubot Bot added size:XS This PR changes 0-9 lines, ignoring generated files. dependencies Pull requests that update a dependency file memory-safety Memory safety improvements and guarantees labels Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f82b806a-d856-4b6e-9800-043bbab25f05

📥 Commits

Reviewing files that changed from the base of the PR and between aff9b98 and fb8c481.

📒 Files selected for processing (1)
  • Cargo.toml

Summary by CodeRabbit

  • Chores
    • Updated a third-party dependency to the latest patch version to include stability and maintenance improvements.

Walkthrough

Bumps memmap2 in Cargo.toml from 0.9.10 to 0.9.11, updating the dependency to the patched release for RUSTSEC-2026-0186.

Changes

memmap2 security patch

Layer / File(s) Summary
memmap2 0.9.10 → 0.9.11
Cargo.toml
Updates the memmap2 dependency version to 0.9.11.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Poem

One small bump, one safer path,
memmap2 leaves behind the wrath.
A tiny change, a steadier floor,
Rust stays safe, and nothing more.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title matches the change, but the scope uses an unsupported Conventional Commits scope. Rename it to a valid format with an allowed scope, such as "fix(engine): bump memmap2 to 0.9.11 for RUSTSEC-2026-0186".
✅ Passed checks (9 passed)
Check name Status Explanation
Description check ✅ Passed The description clearly describes the memmap2 security bump and its verification.
Linked Issues check ✅ Passed The PR upgrades memmap2 from 0.9.10 to 0.9.11, satisfying the linked issue's fix requirement.
Out of Scope Changes check ✅ Passed The diff only updates the memmap2 dependency, with no unrelated changes visible.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Memory-Safety-Check ✅ Passed Patch only bumps memmap2 in Cargo.toml; no source files changed, and no new unsafe/raw-pointer/transmute code was introduced.
Libmagic-Compatibility-Check ✅ Passed Parser/output changes are refactors and hardening only; standard syntax handling and GNU-style formatting behavior remain intact.
Performance-Regression-Check ✅ Passed Only memmap2 was bumped; no parser/evaluator/I/O hot-path code changed, and the core path still uses mmap with no affected range APIs used.
Test-Coverage-Check ✅ Passed PASS: This PR only bumps memmap2 and refreshes the lockfile; no new functionality or code paths were added, and the repo already has boundary/error/property tests around file I/O.
Error-Handling-Check ✅ Passed Production diffs in changed src files have no unwrap/expect/panic; library APIs still use Result and thiserror-backed error enums.

Warning

Review ran into problems

🔥 Problems

These MCP integrations need to be re-authenticated in the Integrations settings: Linear, Notion


Comment @coderabbitai help to get the list of available commands.

@mergify

mergify Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Merge Protections

🔴 1 of 4 protections blocking

Protection Waiting on
🔴 🚦 Auto-queue
🟢 Enforce conventional commit
🟢 Full CI must pass
🟢 Do not merge outdated PRs

🔴 🚦 Auto-queue

This rule is failing.

When all merge protections are satisfied and these conditions match, this pull request will be queued automatically.

  • any of:
    • all of:
      • author = dosubot[bot]
      • base = main
      • label != do-not-merge
    • all of:
      • author = dependabot[bot]
      • base = main
      • label != do-not-merge
    • all of:
      • author = release-plz[bot]
      • head ~= ^release-plz-
      • base = main
      • label != do-not-merge

Show 3 satisfied protections

🟢 Enforce conventional commit

Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for bots.

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?!?:

🟢 Full CI must pass

All CI checks must pass. Release-plz PRs are exempt because they only bump versions and changelogs (code was already tested on main), and GITHUB_TOKEN-triggered force-pushes suppress CI.

  • check-success = coverage
  • check-success = quality
  • check-success = test
  • check-success = test-cross-platform (macos-latest, macOS)
  • check-success = test-cross-platform (ubuntu-22.04, Linux)
  • check-success = test-cross-platform (ubuntu-latest, Linux)
  • check-success = test-cross-platform (windows-latest, Windows)

🟢 Do not merge outdated PRs

Make sure PRs are within 10 commits of the base branch before merging

  • #commits-behind <= 10

@mergify

mergify Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Copilot AI review requested due to automatic review settings July 3, 2026 15:11
@unclesp1d3r unclesp1d3r removed the request for review from Copilot July 3, 2026 15:11
Copilot AI review requested due to automatic review settings July 6, 2026 03:52
@unclesp1d3r unclesp1d3r removed the request for review from Copilot July 6, 2026 03:52
Copilot AI review requested due to automatic review settings July 6, 2026 03:54
@unclesp1d3r unclesp1d3r removed the request for review from Copilot July 6, 2026 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file memory-safety Memory safety improvements and guarantees size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0186: Unchecked pointer offset in crate memmap2

1 participant