RUSTSEC-2026-0001

Potential Undefined Behaviors in Arc<T>/Rc<T> impls of from_value on OOM

Reported

January 5, 2026

Issued

January 5, 2026 (last modified: January 6, 2026)

Package

rkyv (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#oom #undefined-behavior

References

https://github.com/rkyv/rkyv/issues/644

Patched

>=0.7.46, <0.8.0
>=0.8.13

Description

The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).

This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.

The issue is reachable through safe code and violates Rust's safety guarantees.

Advisory available under CC0-1.0 license.