Sign In

GHSA-vfvv-c25p-m7mm

ADVISORY - github

Summary

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

  • InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
  • SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Technical Impact

  • CWE-415 (Double Free): Heap corruption when element type holds Box<T>
  • CWE-416 (Use-After-Free): Memory corruption when element reads from heap during Drop

Both vulnerabilities are triggerable entirely from safe Rust via std::panic::catch_unwind and require no special privileges.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-415

Double Free

CWE-416

Use After Free

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-vfvv-c25p-m7mm
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-415CWE-416

CVSS SCORE

6.9medium

RustSec

CREATED

UPDATED

ADVISORY IDRUSTSEC-2026-0122
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-qjhc-5cr2-23m4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-r5p2-pg4c-fcpj

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY