rustsec-2026-0191
Vulnerability from osv_rustsec
Published
2026-05-28 12:00
Modified
2026-06-29 14:39
Summary
`EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic
Details

Affected versions of solana_rbpf expose the safe method EbpfVm::invoke_function. This method computes an obfuscated VM pointer by casting self to *mut u64 and applying a randomized offset derived from get_runtime_environment_key().

The resulting pointer arithmetic is performed with ptr::offset, which requires the computed pointer to remain within the same allocation. In practice, the randomized offset can move the pointer far outside the allocation containing the EbpfVm, causing undefined behavior before the supplied builtin function is invoked.

Unmaintained

The upstream solana_rbpf repository is archived, and no patched version of this crate is currently available.

Users should migrate to the maintained solana-sbpf crate. The issue has been fixed there in anza-xyz/sbpf#151.


{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "solana_rbpf::vm::EbpfVm::invoke_function"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "solana_rbpf",
        "purl": "pkg:cargo/solana_rbpf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of `solana_rbpf` expose the safe method\n`EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by\ncasting `self` to `*mut u64` and applying a randomized offset derived from\n`get_runtime_environment_key()`.\n\nThe resulting pointer arithmetic is performed with `ptr::offset`, which\nrequires the computed pointer to remain within the same allocation. In practice,\nthe randomized offset can move the pointer far outside the allocation\ncontaining the `EbpfVm`, causing undefined behavior before the supplied builtin\nfunction is invoked.\n\n## Unmaintained\n\nThe upstream `solana_rbpf` repository is archived, and no patched version of\nthis crate is currently available.\n\nUsers should migrate to the maintained [`solana-sbpf`](https://crates.io/crates/solana-sbpf)\ncrate. The issue has been fixed there in\n[`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).",
  "id": "RUSTSEC-2026-0191",
  "modified": "2026-06-29T14:39:58Z",
  "published": "2026-05-28T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/solana_rbpf"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0191.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solana-labs/rbpf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anza-xyz/sbpf/pull/151"
    },
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/solana-sbpf"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "`EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…