Severity : Medium The Argon2-based `S2K::derive_key` path allocates its working memory through an internal `Blocks` helper, which wraps a `*mut argon2::Block` obtained via `alloc_zeroed`.【F:openpgp/src/crypto/s2k.rs†L200-L223】【F:openpgp/src/crypto/s2k.rs†L500-L537】 After Argon2 finishes, the temporary `Blocks` instance is dropped, but its `Drop` implementation simply hands the pointer back to the global allocator without overwriting the contents. This leaves the entire Argon2 memory matrix —including the lane blocks that determine the derived session key—sitting in heap pages until the allocator decides to reuse them. Because Argon2's finalisation phase hashes the last block of each lane to produce the output key, recovering those blocks from freed memory is enough to recreate the derived key without knowing the password. Any attacker who can inspect the address space (e.g. via `/proc/$pid/mem`, a core dump, or a custom allocator embedded in a malicious plugin) can snapshot the stale scratch space and immediately re-derive the symmetric key that protects the user's secret keys or password-encrypted messages. Last commint hash \`05e6707ad2c68fa52a30c3c9a21d54dc00089919\`