ncurses exposes uninitialized memory in string reading functions · GHSA-x77x-7mmh-cxv3 · GitHub Advisory Database · GitHub

ncurses exposes uninitialized memory in string reading functions

Moderate severity GitHub Reviewed Published Oct 22, 2025 to the GitHub Advisory Database • Updated Oct 22, 2025

Package

ncurses (Rust)

Affected versions

<= 6.0.1

Patched versions

None

Description

Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.

This allows reading uninitialized memory which may contain sensitive data from previous allocations.

The ncurses-rs repository is archived and unmaintained.

References

Published to the GitHub Advisory Database Oct 22, 2025

Reviewed Oct 22, 2025

Last updated Oct 22, 2025

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality Low

Integrity None

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P