RUSTSEC-2026-0122

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0122
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0122.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0122
Aliases
Published
2026-04-23T12:00:00Z
Modified
2026-05-16T07:08:02Z
Summary
Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`
Details

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

  • InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
  • SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Impact

  • CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T>
  • CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic

Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch_unwind is used.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / rkyv

Package

Name
rkyv
View open source insights on deps.dev
Purl
pkg:cargo/rkyv

Affected ranges

Type
SEMVER
Events
Introduced
0.8.0
Fixed
0.8.16

Ecosystem specific 

{
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

categories 
[
    "code-execution",
    "memory-corruption"
]
cvss 
null
informational 
"unsound"
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0122.json"