DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VFVV-C25P-M7MM: GHSA-VFVV-C25P-M7MM: Memory Corruption via Panic Safety Flaw in rkyv Collections

#security #cve #cybersecurity #ghsa

GHSA-VFVV-C25P-M7MM: Memory Corruption via Panic Safety Flaw in rkyv Collections

Vulnerability ID: GHSA-VFVV-C25P-M7MM
CVSS Score: High (Unscored)
Published: 2026-05-15

The rkyv zero-copy deserialization framework for Rust suffers from a panic safety vulnerability in its manual memory management logic. The flaw allows memory corruption, specifically Double Free and Use-After-Free, when element destructors panic during vector clearance.

TL;DR

A panic safety bug in rkyv's InlineVec::clear and SerVec::clear methods leads to Use-After-Free and Double Free conditions if element destructors panic. Upgrading to 0.8.16 resolves the issue by updating container state before initiating destructors.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-415 / CWE-416
  • Attack Vector: Local / Application-Level
  • Impact: Memory Corruption / Denial of Service
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed
  • CVSS: High (Unscored)

Affected Systems

  • Rust applications dependent on rkyv versions >= 0.8.0 and < 0.8.16 utilizing InlineVec or SerVec
  • rkyv: >= 0.8.0, < 0.8.16 (Fixed in: 0.8.16)

Code Analysis

Commit: 5828cf5

Fix panic safety in InlineVec and SerVec clear methods by updating length before dropping elements.

Mitigation Strategies

  • Upgrade the rkyv dependency to version 0.8.16.
  • Avoid utilizing panicking Drop implementations in data structures serialized or deserialized by rkyv.
  • Avoid catching panics via std::panic::catch_unwind when interacting with unsafe memory containers.

Remediation Steps:

  1. Identify the current version of rkyv in your Cargo.toml or Cargo.lock file.
  2. Update the version constraint to require ">=0.8.16".
  3. Run cargo update -p rkyv to apply the patched version.
  4. Recompile and run unit tests with Miri to ensure memory safety bounds are respected.

References

Read the full report for GHSA-VFVV-C25P-M7MM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)