PT-2026-6355 · Crates.Io · Bytes
Published
2026-02-03
·
Updated
2026-02-03
CVSS v4.0
5.4
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P |
Details
In the unique reclaim path of
BytesMut::reserve, the conditionif v capacity >= new cap + offsetuses an unchecked addition. When
new cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare capacity mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put u8(b'h');
}Workarounds
Users of
BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.This vulnerability is also known as RUSTSEC-2026-0007.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bytes