CVE-2025-46333 Information

Description

z2d is a pure Zig 2D graphics library. In version 0.6.0 when writing from one surface to another using z2d.compositor.StrideCompositor.run the source surface can be completely out-of-bounds on the x-axis (but not on the y-axis) by way of a negative offset. This results in an overflow of the value controlling the length of the stride. In non-safe optimization modes (consumers compiling with ReleaseFast or ReleaseSmall) this could potentially lead to invalid memory accesses or corruption. This issue is patched in version 0.6.1.

Reference

https://github.com/vancluever/z2d/issues/104 https://github.com/vancluever/z2d/issues/105 https://github.com/vancluever/z2d/security/advisories/GHSA-mm4c-p35v-7hx3