RUSTSEC-2026-0190

Source
https://rustsec.org/advisories/RUSTSEC-2026-0190
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0190.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0190
Published
2026-06-25T12:00:00Z
Modified
2026-06-29T14:15:03.650725453Z
Summary
Unsoundness in `Error::downcast_mut()`
Details

Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via Error::context and then later calls Error::downcast_mut on the returned Error.

The flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.

Example

use anyhow::Error;
use std::fmt;

#[derive(Debug)]
struct ErrorContext(&'static str);

impl fmt::Display for ErrorContext {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

fn main() {
    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
    let context: &mut ErrorContext = error.downcast_mut().unwrap();
    context.0 = "new context";
    println!("{:?}", error);
}

Miri output

error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
   --> src/ptr.rs:170:18
    |
170 |         unsafe { &mut *self.ptr.as_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
   --> src/ptr.rs:89:18
    |
 89 |             ptr: NonNull::from(ptr),
    |                  ^^^^^^^^^^^^^^^^^^
    = note: stack backtrace:
            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
                at src/ptr.rs:170:18: 170:41
            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
                at src/error.rs:560:18: 560:46
            2: main
                at examples/downcast_mut.rs:15:38: 15:58
Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / anyhow

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
1.0.103

Ecosystem specific

{
    "affects": {
        "arch": [],
        "os": [],
        "functions": [
            "anyhow::Error::downcast_mut"
        ]
    },
    "affected_functions": null
}

Database specific

categories
[
    "memory-corruption"
]
source
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0190.json"
cvss
null
informational
"unsound"