Reported

April 23, 2026

Issued

May 11, 2026

Package

rkyv (crates.io)

Type

INFO Unsound

Categories

• code-execution
• memory-corruption

Keywords

#panic-safety #memory-safety #use-after-free #double-free

References

• https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb

Patched

• >=0.8.16

Unaffected

• <0.8.0

Description

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

• InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
• SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Impact

• CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T>
• CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic

Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch_unwind is used.

Advisory available under CC0-1.0 license.