Diesel fixes SQLite aggregate alignment bug in RustSec advisory
Diesel moved SQLite aggregate state back onto the Rust side after a misalignment bug could make custom over-aligned aggregates trigger undefined behavior.
Diesel’s SQLite aggregate hook had a soundness trap hiding in the boundary between Rust and C. If a custom aggregate used `diesel::sqlite::SqliteAggregate` with a Rust type that demanded stricter alignment, SQLite’s `sqlite3_aggregate_context` could hand Diesel storage that was not aligned well enough for that type, and any later read or write through that memory could become undefined behavior.
The RustSec advisory, RUSTSEC-2026-0137, was reported on April 24, 2026 and issued on May 13, 2026. It focused on users who register custom aggregate SQL functions on SQLite and back them with a nonstandard layout, including types marked with `#[align(x)]`. Diesel had been relying on SQLite to supply the aggregate processor state, but SQLite does not promise alignment that matches every possible Rust type. That is exactly the kind of edge case that can slip past ordinary testing and only show up when a higher-level abstraction starts storing Rust state inside foreign memory.
Diesel’s fix landed in 2.3.8, which the advisory marks as the patched release. The crate now allocates the aggregate state on the Rust side so the storage is correctly aligned, and the RustSec entry links the repair to GitHub pull request #5042. Diesel 2.3.8 also bundled other security fixes, including an unsound string-construction issue in SQLite text reads, possible memory leaks in `SqliteConnection::register_function`, and a padding-byte access issue in the MySQL backend. For teams running FFI-heavy extension code, the practical takeaway is clear: any time Rust state is parked in external C-managed storage, alignment deserves the same attention as ownership and lifetimes.
The issue also lands on top of a long-running feature path. Diesel has supported custom SQLite aggregate functions for years, and issue #2191 asking for that support dates back to 2019. That makes this advisory less like a brand-new API warning and more like a correction to a long-standing extension point that library authors have relied on. Diesel 2.3.9 followed about two weeks after 2.3.8 and fixed a separate regression in `#[derive(AsChangeset)]`, but the alignment repair in 2.3.8 is the release that matters for SQLite aggregate users. The bug was small in surface area, but it was exactly the kind of low-level mismatch that can turn a safe abstraction into a memory-model problem.
Know something we missed? Have a correction or additional information?
Submit a Tip
