CVE-2021-26952

Name of the Vulnerable Software and Affected Versions: ms3d crate versions prior to 0.1.3

Description: The issue allows attackers to obtain sensitive information from uninitialized memory locations via IoReader::read. Affected versions of the crate pass an uninitialized buffer to a user-provided Read implementation, which can read from the buffer and return incorrect numbers of bytes written, producing undefined values that can invoke undefined behavior.

Recommendations: For versions prior to 0.1.3, update to version 0.1.3 or later, which includes the fix for the issue by zero-initializing the buffer before passing it to Read. As a temporary workaround, consider avoiding the use of IoReader::read until the update is applied.