Vulnerability-Lookup

GHSA-VFVV-C25P-M7MM

Vulnerability from github – Published: 2026-05-15 18:09 – Updated: 2026-05-15 18:09

Summary

rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution

Details

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Technical Impact

CWE-415 (Double Free): Heap corruption when element type holds Box<T>
CWE-416 (Use-After-Free): Memory corruption when element reads from heap during Drop

Both vulnerabilities are triggerable entirely from safe Rust via std::panic::catch_unwind and require no special privileges.

Severity

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rkyv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T18:09:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe. Both functions iterate over their elements and call `drop_in_place` on each, updating `self.len` only *after* the loop. If an element\u0027s `Drop` implementation panics during the loop, `self.len` is left at its original value.\n\nA subsequent invocation of `clear()` on the same container then re-visits the already-freed elements:\n\n- `InlineVec::clear()` is called again from `InlineVec`\u0027s own `Drop` implementation when the value is later dropped.\n- `SerVec::clear()` is called again by `SerVec::with_capacity()` after the  user closure returns.\n\n\n## Technical Impact\n\n- **CWE-415 (Double Free):** Heap corruption when element type holds `Box\u003cT\u003e`  \n- **CWE-416 (Use-After-Free):** Memory corruption when element reads from heap during `Drop`\n\nBoth vulnerabilities are triggerable entirely from safe Rust via `std::panic::catch_unwind` and require no special privileges.",
  "id": "GHSA-vfvv-c25p-m7mm",
  "modified": "2026-05-15T18:09:10Z",
  "published": "2026-05-15T18:09:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rkyv/rkyv"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0122.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution"
}

rustsec-2026-0122

Vulnerability from osv_rustsec

Published

2026-04-23 12:00

Modified

2026-05-16 07:08

Summary

Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`

Details

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Impact

CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T>
CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic

Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch_unwind is used.

References

URL

Type

	https://crates.io/crates/rkyv	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2026-0122.html	ADVISORY
	https://github.com/rkyv/rkyv/commit/5828cf5c27b66…	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "code-execution",
          "memory-corruption"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "rkyv",
        "purl": "pkg:cargo/rkyv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.16"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-vfvv-c25p-m7mm"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe.\nBoth functions iterate over their elements and call `drop_in_place` on each,\nupdating `self.len` only *after* the loop. If an element\u0027s `Drop` implementation\npanics during the loop, `self.len` is left at its original value.\n\nA subsequent invocation of `clear()` on the same container then re-visits the\nalready-freed elements:\n\n- `InlineVec::clear()` is called again from `InlineVec`\u0027s own `Drop`\n  implementation when the value is later dropped.\n- `SerVec::clear()` is called again by `SerVec::with_capacity()` after the\n  user closure returns.\n\n## Impact\n- **CWE-415 (Double Free):** heap corruption when the element type is one that\n  owns memory, such as `Box\u003cT\u003e` or `Vec\u003cT\u003e`\n- **CWE-416 (Use-After-Free):** memory corruption when an element is accessed\n  following a caught panic\n\nBoth types of undefined behavior can be invoked in safe Rust, but only if\nunwinding panics are enabled and `std::panic::catch_unwind` is used.",
  "id": "RUSTSEC-2026-0122",
  "modified": "2026-05-16T07:08:02Z",
  "published": "2026-04-23T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/rkyv"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0122.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted