RUSTSEC-2026-0002

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0002
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0002.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0002
Aliases
Published
2026-01-07T12:00:00Z
Modified
2026-01-08T05:56:19.144318Z
Summary
`IterMut` violates Stacked Borrows by invalidating internal pointer
Details

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::next_back methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.

This invalidates the shared pointer held by the internal HashMap, violating Stacked Borrows rules.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / lru

Package

Name
lru
View open source insights on deps.dev
Purl
pkg:cargo/lru

Affected ranges

Type
SEMVER
Events
Introduced
0.9.0
Fixed
0.16.3

Ecosystem specific 

{
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

cvss 
null
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0002.json"
categories 
[
    "memory-corruption"
]
informational 
"unsound"