PT-2026-48693 — Metacall

PT-2026-48693 · Crates.Io · Metacall

Published

2026-06-01

Updated

2026-06-01

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

exception struct is a local stack variable, but the code passes its address to the C language as &mut exception struct as *mut as *mut c void. Then, the returned MetaCallException value is stored here:

Ok(Self {
  exception struct: Arc::new(exception struct),
  value: exception ptr,
  leak: false,
})

Because leak is false, the destructor will run later. But the original exception pointer points to Rust stack memory.

Trigger

#[test]
fn exception bad free safe api() {
  let original = metacall::MetaCallException::new(
    "test",
    "test",
    "test",
    1,
  );

  drop(original); // AddressSanitizer: bad-free
}

Impact

Every time the MetaCallException is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API MetaCallException::new(), with no unsafe required from the caller.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

RUSTSEC-2026-0156

Affected Products

Metacall

Trigger

Impact

Related Identifiers

Affected Products

References · 4