RustSec flags diesel-async memory bug that could leak data

A memory bug in diesel-async could expose uninitialized padding bytes every time Rust code reads MySQL DATE, TIME, DATETIME, or TIMESTAMP values through the async stack. The flaw is especially sharp because it sits inside safe Rust-facing code, turning what should be a routine serialization step into a possible data-disclosure path.

RustSec identified the issue as RUSTSEC-2026-0138, reported on April 30, 2026 and issued on May 13, 2026. The advisory says diesel-async relied on mysql-async to obtain deserialized date and time values, then converted them back into the serialized binary form expected by Diesel by casting a MysqlTime repr(C) struct into a byte array. Because that struct includes padding bytes, the cast exposed uninitialized memory to safe Rust code. GitHub’s advisory describes the result as uninitialized stack padding reaching safe code on every read of the affected MySQL temporal columns, and classifies the issue as low severity.

The affected surface is not narrow. It includes diesel::serialize::FromSql<Timestamp, Mysql>, FromSql<Time, Mysql>, FromSql<Date, Mysql>, and FromSql<DateTime, Mysql> when those paths are used with AsyncMysqlConnection. In practical terms, any service leaning on diesel-async for high-concurrency MySQL traffic was running serialization code that could leak stale heap or stack contents, even though the call site itself looked safe.

The fix landed in diesel-async 0.9.0 and newer. The release notes say the project corrected an unsound access to padding values while deserializing Date and Time values in the MySQL backend, and credit paolobarbolini with finding the issue. The patched code now calls a safe serialization method provided by Diesel 2.3.9 and newer instead of depending on the old cast-based path. That lines up closely with Diesel’s own 2.3.9 release work, showing how the async crate’s repair tracks the main library’s serialization layer.

The same release also changed transaction-related functions to accept a real async closure instead of the older scoped boxed variant, so maintainers got a security fix and an API shift in the same update. For teams running diesel-async in production, the immediate audit is clear: check every async MySQL temporal serialization path, remove any unsafe byte-casting patterns, and pin deployments to diesel-async 0.9.0 or newer before another padding byte slips out through the stack.