GHSA-rhfx-m35p-ff5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-rhfx-m35p-ff5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-rhfx-m35p-ff5j/GHSA-rhfx-m35p-ff5j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rhfx-m35p-ff5j
Aliases
Downstream
Related
Published
2026-01-07T20:38:57Z
Modified
2026-02-04T02:52:11.999889Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
`IterMut` violates Stacked Borrows by invalidating internal pointer
Details

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::next_back methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.

This invalidates the shared pointer held by the internal HashMap, violating Stacked Borrows rules.

Database specific 
{
    "severity": "LOW",
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-476"
    ],
    "github_reviewed_at": "2026-01-07T20:38:57Z"
}
References

Affected packages

crates.io / lru

Package

Name
lru
View open source insights on deps.dev
Purl
pkg:cargo/lru

Affected ranges

Type
SEMVER
Events
Introduced
0.9.0
Fixed
0.16.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-rhfx-m35p-ff5j/GHSA-rhfx-m35p-ff5j.json"