Description
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
Published: 2026-01-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Undefined behavior resulting in application instability or other unintended consequences
Action: Upgrade or Validate
AI Analysis

Impact

A flaw in the gix-date library causes the TimeBuf::as_str routine to generate strings that contain non‑UTF8 characters. The malformed strings violate internal safety invariants, triggering undefined behavior when processed by the application. This can lead to crashes, unresponsiveness, or other unpredictable behaviors, impacting the reliability of the affected software.

Affected Systems

The vulnerability affects GitoxideLabs’s gitoxide repository and components that rely on gix-date. It also impacts Red Hat Logging Subsystem for OpenShift and Red Hat Enterprise Linux versions 8, 9, and 10. No specific version numbers are listed, so all releases that contain the affected gix-date component should be considered potentially impacted.

Risk and Exploitability

The base CVSS score is 7.1, indicating a high severity. Exploit probability is low, with an EPSS score below 1 %. The issue is not catalogued in the CISA KEV list. The likely attack vector is inferred: any code path that parses or generates time strings using gix-date—such as log ingestion, Git operations, or time‑related processing—could be used to supply crafted input that triggers the undefined behavior. Once triggered, the vulnerability could destabilize the application or accidentally expose internal state through fault handling.

Generated by OpenCVE AI on April 16, 2026 at 07:18 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Upgrade to a recent release of gix-date or components that include the fixed routine.
  • If an upgrade is not feasible, sanitize or validate any input strings processed by TimeBuf::as_str to ensure they contain only valid UTF‑8 before passing them to the library.
  • Implement application‑level error handling or input validation around time parsing to guard against potential crashes caused by malformed strings.
  • No reliable workaround is available per the CNA; rely on vendor patches and keep systems up to date.

Generated by OpenCVE AI on April 16, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mw6-mj76-grwc gix-date can create non-utf8 string with `TimeBuf::as_str`
History

Wed, 04 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Fri, 13 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitoxidelabs
Gitoxidelabs gix-date
Weaknesses CWE-682
CPEs cpe:2.3:a:gitoxidelabs:gix-date:*:*:*:*:*:rust:*:*
Vendors & Products Gitoxidelabs
Gitoxidelabs gix-date

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
Title gix-date: gix-date: Undefined behavior due to invalid string generation Gix-date: gix-date: undefined behavior due to invalid string generation
First Time appeared Redhat
Redhat enterprise Linux
Redhat logging
CPEs cpe:/a:redhat:logging:5
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat logging
References

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title gix-date: gix-date: Undefined behavior due to invalid string generation
Weaknesses CWE-135
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

threat_severity

Moderate

Subscriptions

Gitoxidelabs Gix-date
Redhat Enterprise Linux Logging
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-20T01:39:46.966Z

Reserved: 2026-01-09T15:01:06.978Z

Link: CVE-2026-0810

cve-icon Vulnrichment

Updated: 2026-01-26T20:59:02.593Z

cve-icon NVD

Status : Modified

Published: 2026-01-26T20:16:09.600

Modified: 2026-02-26T16:23:35.000

Link: CVE-2026-0810

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-29T12:00:00Z

Links: CVE-2026-0810 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses