rustsec-2026-0078
Vulnerability from osv_rustsec
Affected versions of this crate can leave all SymbolTable variants in an
internally inconsistent state if a custom BuildHasher panics during
HashMap::insert and the caller recovers with catch_unwind.
The intern implementations committed a vec.push(...) before the matching
map.insert(...) completed. If hashing panicked in that window, later lookups
and inserts could observe diverging vec and map lengths.
In release builds, this can lead to symbol confusion where a newly interned string resolves to previously interned attacker-controlled contents. In debug builds, the same corruption is detected by follow-up assertions and results in panics.
The flaw was corrected in version 1.13.3 by making the vec mutation
transactional across unwind boundaries so partially inserted entries are rolled
back before the panic propagates.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"intaglio::SymbolTable::intern",
"intaglio::bytes::SymbolTable::intern",
"intaglio::cstr::SymbolTable::intern",
"intaglio::osstr::SymbolTable::intern",
"intaglio::path::SymbolTable::intern"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "intaglio",
"purl": "pkg:cargo/intaglio"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "1.13.3"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Affected versions of this crate can leave all `SymbolTable` variants in an\ninternally inconsistent state if a custom `BuildHasher` panics during\n`HashMap::insert` and the caller recovers with `catch_unwind`.\n\nThe `intern` implementations committed a `vec.push(...)` before the matching\n`map.insert(...)` completed. If hashing panicked in that window, later lookups\nand inserts could observe diverging `vec` and `map` lengths.\n\nIn release builds, this can lead to symbol confusion where a newly interned\nstring resolves to previously interned attacker-controlled contents. In debug\nbuilds, the same corruption is detected by follow-up assertions and results in\npanics.\n\nThe flaw was corrected in version 1.13.3 by making the `vec` mutation\ntransactional across unwind boundaries so partially inserted entries are rolled\nback before the panic propagates.",
"id": "RUSTSEC-2026-0078",
"modified": "2026-03-30T21:40:18Z",
"published": "2026-03-30T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/intaglio"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0078.html"
},
{
"type": "REPORT",
"url": "https://github.com/artichoke/intaglio/issues/359"
},
{
"type": "REPORT",
"url": "https://github.com/artichoke/intaglio/issues/359"
},
{
"type": "WEB",
"url": "https://github.com/artichoke/intaglio/pull/360"
}
],
"related": [],
"severity": [],
"summary": "Symbol confusion after hasher panic in `intaglio` interners"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.