rustsec-2026-0191
Vulnerability from osv_rustsec
Affected versions of solana_rbpf expose the safe method
EbpfVm::invoke_function. This method computes an obfuscated VM pointer by
casting self to *mut u64 and applying a randomized offset derived from
get_runtime_environment_key().
The resulting pointer arithmetic is performed with ptr::offset, which
requires the computed pointer to remain within the same allocation. In practice,
the randomized offset can move the pointer far outside the allocation
containing the EbpfVm, causing undefined behavior before the supplied builtin
function is invoked.
Unmaintained
The upstream solana_rbpf repository is archived, and no patched version of
this crate is currently available.
Users should migrate to the maintained solana-sbpf
crate. The issue has been fixed there in
anza-xyz/sbpf#151.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"solana_rbpf::vm::EbpfVm::invoke_function"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "solana_rbpf",
"purl": "pkg:cargo/solana_rbpf"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Affected versions of `solana_rbpf` expose the safe method\n`EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by\ncasting `self` to `*mut u64` and applying a randomized offset derived from\n`get_runtime_environment_key()`.\n\nThe resulting pointer arithmetic is performed with `ptr::offset`, which\nrequires the computed pointer to remain within the same allocation. In practice,\nthe randomized offset can move the pointer far outside the allocation\ncontaining the `EbpfVm`, causing undefined behavior before the supplied builtin\nfunction is invoked.\n\n## Unmaintained\n\nThe upstream `solana_rbpf` repository is archived, and no patched version of\nthis crate is currently available.\n\nUsers should migrate to the maintained [`solana-sbpf`](https://crates.io/crates/solana-sbpf)\ncrate. The issue has been fixed there in\n[`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).",
"id": "RUSTSEC-2026-0191",
"modified": "2026-06-29T14:39:58Z",
"published": "2026-05-28T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/solana_rbpf"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0191.html"
},
{
"type": "WEB",
"url": "https://github.com/solana-labs/rbpf"
},
{
"type": "WEB",
"url": "https://github.com/anza-xyz/sbpf/pull/151"
},
{
"type": "PACKAGE",
"url": "https://crates.io/crates/solana-sbpf"
}
],
"related": [],
"severity": [],
"summary": "`EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.