diff --git a/.deny.toml b/.deny.toml
index e65cdd34..01f2beca 100644
--- a/.deny.toml
+++ b/.deny.toml
@@ -14,6 +14,8 @@ ignore = [
   { id = "RUSTSEC-2025-0141", reason = "`bincode` is unmaintained but continuing to use it." },
   { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill is pulled transitively via risc0-zkvm; waiting on upstream fix (see https://github.com/risc0/risc0/issues/3453)" },
   { id = "RUSTSEC-2026-0097", reason = "`rand` v0.8.5 is present transitively from logos crates, modification may break integration" },
+  { id = "RUSTSEC-2026-0118", reason = "`hickory-proto` NSEC3 unbounded loop; no safe upgrade — pulled transitively via libp2p, fix requires upstream logos/libp2p update" },
+  { id = "RUSTSEC-2026-0119", reason = "`hickory-proto` DNS compression DoS; pulled transitively via libp2p, fix requires upstream logos/libp2p update" },
 ]
 yanked = "deny"
 unused-ignored-advisory = "deny"
diff --git a/nssa/core/src/program.rs b/nssa/core/src/program.rs
index a89b0687..1bd2a5d5 100644
--- a/nssa/core/src/program.rs
+++ b/nssa/core/src/program.rs
@@ -112,8 +112,10 @@ impl PrivateAccountKind {
                 Some(Self::Regular(identifier))
             }
             0x01 => {
-                let program_id: ProgramId = bytemuck::try_cast_slice(&bytes[1..33])
-                    .expect("bytes are castable to &[u32]")
+                let program_id: ProgramId = bytes[1..33]
+                    .chunks_exact(4)
+                    .map(|chunk| u32::from_le_bytes(chunk.try_into().unwrap()))
+                    .collect::<Vec<_>>()
                     .try_into()
                     .expect("slice has exactly 8 u32 elements");
                 let seed = PdaSeed::new(bytes[33..65].try_into().unwrap());