GHSA-vfvv-c25p-m7mm

ADVISORY - github

Summary

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Technical Impact

CWE-415 (Double Free): Heap corruption when element type holds Box<T>
CWE-416 (Use-After-Free): Memory corruption when element reads from heap during Drop

Both vulnerabilities are triggerable entirely from safe Rust via std::panic::catch_unwind and require no special privileges.

Common Weakness Enumeration (CWE)

ADVISORY - github

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

GHSA-vfvv-c25p-m7mm

Summary

Technical Impact

Common Weakness Enumeration (CWE)

CWE-415⁠

CWE-416⁠

Impacted images

Sign in to Docker Scout