RUSTSEC-2025-0016
- Source
- https://rustsec.org/advisories/RUSTSEC-2025-0016
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0016.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2025-0016
- Published
- 2025-03-13T12:00:00Z
- Modified
- 2025-03-22T10:21:17Z
- Summary
- Use after free in `Parc` and `Prc` due to missing lifetime constraints
- Details
-
Affected versions of this crate didn't provide sufficient lifetime constraints to conversion functions from
alloc::sync::Arcandalloc::rc::Rc, which made it possible to create projections of these reference counted pointers. Unlike the original reference counted pointers, these projections could outlive original data's lifetimes.This projected pointer could cause the original
Arc's orRc'sDrop::dropto get called at a point where the original data was no longer valid, leading to a potential use after free.The affected functions were -
pared::prc::Prc::from_rc-pared::prc::Prc::project-pared::prc::Prc::try_from_rc-pared::sync::Parc::from_arc-pared::sync::Parc::project-pared::sync::Parc::try_from_arcThis flaw was fixed in 108f540ea8acb6073751a1aa386085c1cdc4fd1e by requiring that the type stored in the
Arcs andRcs passed to these functions containT: 'static. - Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / pared
Package
- Name
- pared
- View open source insights on deps.dev
- Purl
- pkg:cargo/pared