[Pkg-rust-maintainers] Bug#1124688: rust-rkyv: RUSTSEC-2026-0001
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 5 16:40:44 GMT 2026
Source: rust-rkyv
Version: 0.8.12-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rkyv/rkyv/issues/644
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>From https://github.com/rkyv/rkyv/issues/644
https://rustsec.org/advisories/RUSTSEC-2026-0001.html
| The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T>
| in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the
| allocator returns a null pointer on OOM (Out of Memory).
|
| This null pointer can flow through to SharedPointer::from_value, which
| calls Box::from_raw(ptr) with the null pointer. This triggers undefined
| behavior when utilizing safe deserialization APIs (such as
| rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs
| during the allocation of the shared pointer.
|
| The issue is reachable through safe code and violates Rust's safety
| guarantees.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list