RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2025-0166

Multiple soundness issues in stackvector

Reported
Issued
Package
stackvector (crates.io)
Type
INFO Unsound
References
Patched
  • >=2.0.0

Description

Affected versions of stackvector contained multiple soundness issues that could allow safe Rust code to trigger undefined behavior.

One issue was that StackVec::length was exposed as a public field. Safe Rust code could set length to a value larger than the backing array capacity. Other safe methods, including remove, pop, and truncate, relied on length before performing unsafe pointer operations (ptr::read, ptr::copy, offset/add). If length was corrupted by safe code, these methods could perform out-of-bounds pointer arithmetic, reads, writes, or copies.

The upstream maintainer also identified additional soundness issues, including the use of mem::uninitialized in StackVec::from_vec_unchecked, which was reachable through from_vec, and Miri violations related to MaybeUninit usage.

Version 2.0.0 was released to fix the known soundness issues.

Advisory available under CC0-1.0 license.