GHSA-RHFX-M35P-FF5J: Borrow Checker's Revenge: Stacked Borrows Violation in Rust's `lru` Crate

Borrow Checker's Revenge: Stacked Borrows Violation in Rust's lru Crate

Vulnerability ID: GHSA-RHFX-M35P-FF5J
CVSS Score: 6.9
Published: 2026-01-07

A deep dive into a soundness vulnerability in the popular lru Rust crate, where IterMut implementation details violated Stacked Borrows rules, leading to Undefined Behavior.

TL;DR

The lru crate (versions < 0.13.0) contained a soundness bug in its mutable iterator. By creating a temporary exclusive reference (&mut) to a key that was simultaneously aliased by the internal HashMap, the code violated Rust's aliasing rules (Stacked Borrows). This invalidates pointers held by the map, leading to Undefined Behavior that Miri screams about and LLVM might miscompile.

---

⚠️ Exploit Status: POC

Technical Details

• Attack Vector: Local
• CVSS Score: 6.9
• Effect: Memory Corruption / UB
• Language: Rust
• Component: IterMut
• Root Cause: Stacked Borrows Violation

Affected Systems

• Rust applications using lru crate < 0.13.0
• lru: < 0.13.0 (Fixed in: 0.13.0)

Code Analysis

Commit: b2c2c9d

Fix Stacked Borrows violation in IterMut

let key = unsafe { &mut (*(*self.ptr).key.as_mut_ptr()) as &mut K }; -> let key = unsafe { &*(*self.ptr).key.as_ptr() };

Exploit Details

• GitHub: Miri error logs demonstrating UB

Mitigation Strategies

• Upgrade lru crate to version 0.13.0 or later.
• Run cargo miri test on any project utilizing unsafe code blocks.
• Avoid raw pointer casts to mutable references when aliases exist.

Remediation Steps:

1. Check your Cargo.toml.
2. Locate the lru dependency.
3. Update the version constraint: lru = ">=0.13.0".
4. Run cargo update to pull the patched version.

References

• GHSA Advisory
• Pull Request #224
• Rust Unsafe Code Guidelines

---

Read the full report for GHSA-RHFX-M35P-FF5J on our website for more details including interactive diagrams and full exploit analysis.