The Context struct has all fields public (pub d len, pub digest, etc.). Code from other modules within the same crate can directly modify d len to a value exceeding the digest vector length. When reset() is subsequently called, self.digest[self.d len as usize] = 0 becomes an out-of-bounds write.

This advisory has been withdrawn because the above unsoundness cannot be triggered in safe code by dependents of the crate, as the Context struct is not public. It merely represents an opportunity for improvement for the crate's internals.