DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5W5R-MF82-595P: When 'Safe' Rust Walks the Plank: Cap'n Proto Undefined Behavior Deep Dive

#security #cve #cybersecurity #ghsa

When 'Safe' Rust Walks the Plank: Cap'n Proto Undefined Behavior Deep Dive

Vulnerability ID: GHSA-5W5R-MF82-595P
CVSS Score: Critical
Published: 2026-01-28

A critical undefined behavior vulnerability in the Rust implementation of Cap'n Proto allows safe code to trigger memory corruption. By exposing internal raw pointers and unchecked offsets through public struct fields, the library violated Rust's safety guarantees, turning malformed schema constants into potential remote code execution or denial of service vectors.

TL;DR

The Cap'n Proto Rust crate exposed public fields in constant::Reader and StructSchema that allowed safe code to inject arbitrary data. This data was subsequently processed by internal unchecked functions, leading to Undefined Behavior (UB).

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Local / Context-dependent
  • Impact: Memory Corruption / Undefined Behavior
  • CWEs: CWE-242, CWE-822, CWE-119
  • Status: Patched in 0.24.0
  • Language: Rust
  • Bug Class: Unsound API / Safe Wrapper around Unsafe

Affected Systems

  • Rust applications using capnproto < 0.24.0
  • Systems using dynamic Cap'n Proto schema loading
  • capnproto (Rust): < 0.24.0 (Fixed in: 0.24.0)

Code Analysis

Commit: 7b981f4

Fix constant::Reader safety by hiding fields and adding unsafe constructor

--- a/capnp/src/constant.rs
+++ b/capnp/src/constant.rs
-    pub words: &'static [crate::Word],
+    pub(crate) words: &'static [crate::Word],
Enter fullscreen mode Exit fullscreen mode

Commit: e3aeec2

Fix RawStructSchema safety by hiding fields

--- a/capnp/src/introspect.rs
+++ b/capnp/src/introspect.rs
-    pub encoded_node: &'static [crate::Word],
+    pub(crate) encoded_node: &'static [crate::Word],
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Constructing Reader with invalid words slice in safe code triggers UB

Mitigation Strategies

  • Encapsulation of struct fields
  • Marking critical constructors as unsafe
  • Updating dependency versions

Remediation Steps:

  1. Update capnproto crate to version >= 0.24.0
  2. Update capnpc (compiler plugin) to version >= 0.24.0
  3. Audit codebase for manual initialization of capnp::constant::Reader
  4. Audit codebase for manual initialization of capnp::introspect::RawStructSchema

References

Read the full report for GHSA-5W5R-MF82-595P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)