GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate
Vulnerability ID: GHSA-Q95X-7G78-RCCV
CVSS Score: 6.3
Published: 2026-07-08
A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.
TL;DR
A public API design flaw in the oneringbuf crate allows safe Rust code to trigger a heap Use-After-Free and Double Free via premature deallocation of shared heap-backed ring buffers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-416 (Use After Free)
- Attack Vector: Network
- Attack Complexity: Low
- Attack Requirements: Present (Application using specific public API)
- CVSS v4.0: 6.3 (Medium)
- Exploit Status: Proof-of-Concept Available
- CISA KEV Status: Not Listed
Affected Systems
- oneringbuf (Rust crate)
-
oneringbuf: < 0.8.0 (Fixed in:
0.8.0)
Code Analysis
Commit: 643a24b
Removed into_ref buffers' method. It is useless and its misuse could trigger a heap-use-after-free
Mitigation Strategies
- Upgrade oneringbuf dependency to 0.8.0 or newer
- Audit dependencies using cargo-audit to ensure vulnerable versions are not transitively imported
Remediation Steps:
- Open Cargo.toml in the affected Rust project.
- Locate the dependency line for oneringbuf.
- Modify the version requirement to '^0.8.0'.
- Run 'cargo update' to apply the changes.
- Verify with 'cargo audit' to ensure the threat is cleared.
References
Read the full report for GHSA-Q95X-7G78-RCCV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)