PT-2026-39707 — Crates.Io Rkyv

PT-2026-39707 · Crates.Io · Rkyv

Publicado

2026-04-23

Atualizado

2026-04-23

Nenhuma

Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop in place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with capacity() after the user closure returns.

Impact

CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T>
CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic

Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch unwind is used.

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

RUSTSEC-2026-0122

Produtos afetados

Rkyv