rustsec-2025-0166
Vulnerability from osv_rustsec
Affected versions of stackvector contained multiple soundness issues that could allow safe Rust code to trigger undefined behavior.
One issue was that StackVec::length was exposed as a public field. Safe Rust code could set length to a value larger than the backing array capacity. Other safe methods, including remove, pop, and truncate, relied on length before performing unsafe pointer operations (ptr::read, ptr::copy, offset/add). If length was corrupted by safe code, these methods could perform out-of-bounds pointer arithmetic, reads, writes, or copies.
The upstream maintainer also identified additional soundness issues, including the use of mem::uninitialized in StackVec::from_vec_unchecked, which was reachable through from_vec, and Miri violations related to MaybeUninit usage.
Version 2.0.0 was released to fix the known soundness issues.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "stackvector",
"purl": "pkg:cargo/stackvector"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "2.0.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Affected versions of `stackvector` contained multiple soundness issues that could allow safe Rust code to trigger undefined behavior.\n\nOne issue was that `StackVec::length` was exposed as a public field. Safe Rust code could set `length` to a value larger than the backing array capacity. Other safe methods, including `remove`, `pop`, and `truncate`, relied on `length` before performing unsafe pointer operations (`ptr::read`, `ptr::copy`, `offset`/`add`). If `length` was corrupted by safe code, these methods could perform out-of-bounds pointer arithmetic, reads, writes, or copies.\n\nThe upstream maintainer also identified additional soundness issues, including the use of `mem::uninitialized` in `StackVec::from_vec_unchecked`, which was reachable through `from_vec`, and Miri violations related to `MaybeUninit` usage.\n\nVersion `2.0.0` was released to fix the known soundness issues.",
"id": "RUSTSEC-2025-0166",
"modified": "2026-07-02T07:59:25Z",
"published": "2025-10-23T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/stackvector"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0166.html"
},
{
"type": "REPORT",
"url": "https://github.com/Alexhuszagh/rust-stackvector/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/Alexhuszagh/rust-stackvector/pull/6"
},
{
"type": "WEB",
"url": "https://github.com/Alexhuszagh/rust-stackvector/commit/02b947afdeeb1be95ec0888354aa76afdd9d0357"
},
{
"type": "REPORT",
"url": "https://github.com/Alexhuszagh/rust-stackvector/issues/5"
}
],
"related": [],
"severity": [],
"summary": "Multiple soundness issues in `stackvector`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.