RustSec flags vku crate unsoundness, safe code may write out of bounds

RustSec has flagged a trust break in vku that Rust developers care about immediately: `VMABuffer::set_data` may let safe code perform out-of-bounds writes. The advisory, RUSTSEC-2025-0162, landed on May 20, 2026 and is marked INFO and Unsound, which puts it in the category RustSec uses for crates whose APIs do not uphold safe Rust invariants.

That matters because vku is not a toy crate. Its GitHub repository describes it as a work-in-progress utility crate for kickstarting Vulkan development with shaderc, ash, and gpu-allocator, the kind of low-level stack where buffer math and pointer handling sit close to the metal. In that world, a convenience wrapper that looks harmless can become the weakest link if it hides raw memory access behind a safe signature.

The specific failure here centers on `VMABuffer::set_data`. RustSec says the function may allow out-of-bounds writes from safe code, and an earlier GitHub issue on vku warned that the public `set_data` function used `ptr.add` and could expose out-of-bounds access through a safe API. vku’s repository history also includes a commit titled “fix #5 possible ptr overflow in VMABuffer::set_data,” which makes the advisory feel less like a theoretical audit note and more like a known sharp edge that survived long enough to become a security entry.

For Rust users, the seriousness is practical even if the advisory is not framed as a remotely exploitable bug. An out-of-bounds write in graphics code can corrupt adjacent memory, destabilize rendering jobs, and create crashes that only appear under particular allocation layouts or upload paths. That is exactly the kind of defect that makes unsafe boundaries matter, because the caller may think they are using an ordinary safe helper while the implementation slips past the buffer it was supposed to protect.

RustSec’s own unsoundness category exists for this reason. The database, maintained by the Rust Secure Code Working Group, tracks crates published through crates.io and calls out packages that can undermine Rust’s safety guarantees without necessarily being classic vulnerabilities. vku now sits in that spotlight, and the lesson is blunt: in systems crates, a safe API is only as trustworthy as the bounds checks and pointer arithmetic underneath it.