rustsec-2026-0122
Vulnerability from osv_rustsec
Published
2026-04-23 12:00
Modified
2026-05-11 13:59
Summary
Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`
Details
InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe.
Both functions iterate over their elements and call drop_in_place on each,
updating self.len only after the loop. If an element's Drop implementation
panics during the loop, self.len is left at its original value.
A subsequent invocation of clear() on the same container then re-visits the
already-freed elements:
InlineVec::clear()is called again fromInlineVec's ownDropimplementation when the value is later dropped.SerVec::clear()is called again bySerVec::with_capacity()after the user closure returns.
Impact
- CWE-415 (Double Free): heap corruption when the element type is one that
owns memory, such as
Box<T>orVec<T> - CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic
Both types of undefined behavior can be invoked in safe Rust, but only if
unwinding panics are enabled and std::panic::catch_unwind is used.
{
"affected": [
{
"database_specific": {
"categories": [
"code-execution",
"memory-corruption"
],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "rkyv",
"purl": "pkg:cargo/rkyv"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.16"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe.\nBoth functions iterate over their elements and call `drop_in_place` on each,\nupdating `self.len` only *after* the loop. If an element\u0027s `Drop` implementation\npanics during the loop, `self.len` is left at its original value.\n\nA subsequent invocation of `clear()` on the same container then re-visits the\nalready-freed elements:\n\n- `InlineVec::clear()` is called again from `InlineVec`\u0027s own `Drop`\n implementation when the value is later dropped.\n- `SerVec::clear()` is called again by `SerVec::with_capacity()` after the\n user closure returns.\n\n## Impact\n- **CWE-415 (Double Free):** heap corruption when the element type is one that\n owns memory, such as `Box\u003cT\u003e` or `Vec\u003cT\u003e`\n- **CWE-416 (Use-After-Free):** memory corruption when an element is accessed\n following a caught panic\n\nBoth types of undefined behavior can be invoked in safe Rust, but only if\nunwinding panics are enabled and `std::panic::catch_unwind` is used.",
"id": "RUSTSEC-2026-0122",
"modified": "2026-05-11T13:59:32Z",
"published": "2026-04-23T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/rkyv"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0122.html"
},
{
"type": "WEB",
"url": "https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb"
}
],
"related": [],
"severity": [],
"summary": "Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…