RUSTSEC-2026-0122
ADVISORY - rustsecSummary
InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe.
Both functions iterate over their elements and call drop_in_place on each,
updating self.len only after the loop. If an element's Drop implementation
panics during the loop, self.len is left at its original value.
A subsequent invocation of clear() on the same container then re-visits the
already-freed elements:
InlineVec::clear()is called again fromInlineVec's ownDropimplementation when the value is later dropped.SerVec::clear()is called again bySerVec::with_capacity()after the user closure returns.
Impact
- CWE-415 (Double Free): heap corruption when the element type is one that
owns memory, such as
Box<T>orVec<T> - CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic
Both types of undefined behavior can be invoked in safe Rust, but only if
unwinding panics are enabled and std::panic::catch_unwind is used.
Common Weakness Enumeration (CWE)
RustSec
CREATED
UPDATED
ADVISORY IDRUSTSEC-2026-0122
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| rkyv | cargo | - | - | >=0.8.0,<0.8.16 | 0.8.16 |
Severity and metrics
No CVSS data available from this advisory.