[I] RUSTSEC-2026-0122: Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear` [iceberg-rust]

Mon, 11 May 2026 18:06:02 -0700 


github-actions[bot] opened a new issue, #2435:
URL: https://github.com/apache/iceberg-rust/issues/2435

   
   > Potential use-after-free due to lack of panic safety in `InlineVec::clear` 
and `SerVec::clear`
   
   | Details             |                                                |
   | ------------------- | ---------------------------------------------- |
   | Status              | unsound                |
   | Package             | `rkyv`                      |
   | Version             | `0.8.15`                   |
   | URL                 | 
[https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb](https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb)
 |
   | Date                | 2026-04-23                         |
   
   `InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe.
   Both functions iterate over their elements and call `drop_in_place` on each,
   updating `self.len` only *after* the loop. If an element's `Drop` 
implementation
   panics during the loop, `self.len` is left at its original value.
   
   A subsequent invocation of `clear()` on the same container then re-visits the
   already-freed elements:
   
   - `InlineVec::clear()` is called again from `InlineVec`'s own `Drop`
     implementation when the value is later dropped.
   - `SerVec::clear()` is called again by `SerVec::with_capacity()` after the
     user closure returns.
   
   ## Impact
   - **CWE-415 (Double Free):** heap corruption when the element type is one 
that
     owns memory, such as `Box<T>` or `Vec<T>`
   - **CWE-416 (Use-After-Free):** memory corruption when an element is accessed
     following a caught panic
   
   Both types of undefined behavior can be invoked in safe Rust, but only if
   unwinding panics are enabled and `std::panic::catch_unwind` is used.
   
   See [advisory page](https://rustsec.org/advisories/RUSTSEC-2026-0122.html) 
for additional details.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to