Add advisory for cgmath: Matrix::swap_columns can trigger UB with identical indices

[DiuDiu777]

Affected crate(s)

• cgmath (1,618,302 recent downloads per crates.io; 10,211,015 total downloads)

Links to upstream issue(s) or PR(s)

• Soundness issue: Matrix2/Matrix3/Matrix4 swap_columns can trigger UB in Safe Rust when a == b rustgd/cgmath#565

The issue was publicly reported upstream on 2026-03-11 and remains open with no maintainer response as of 2026-05-27.

Severity

Informational soundness issue. Safe Rust code can trigger undefined behavior by calling Matrix2::swap_columns, Matrix3::swap_columns, or Matrix4::swap_columns with identical column indices.

The affected implementations call ptr::swap(&mut self[a], &mut self[b]); when a == b, this creates overlapping mutable references to the same matrix column and violates Rust aliasing rules. Miri reports a Stacked Borrows violation. No unsafe code is required from the caller.

Checklist

• Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
• date field is set to the public disclosure date
• Contains a concise and descriptive title after advisory metadata
• Asked maintainer(s) if publishing an advisory is appropriate

The issue was publicly reported upstream on 2026-03-11 and remains open with no maintainer response as of 2026-05-27. The repository also appears inactive. I am filing this advisory under RustSec's documented allowance for advisories after public disclosure with no upstream response.

[djc]

Pinged some of the maintainers in the upstream issue. Feel free to ping me again if there's been no progress in 4 weeks or so.