Reported

May 2, 2026

Issued

May 13, 2026

Package

emap (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Keywords

#double-free #use-after-free

References

• https://github.com/yegor256/emap/issues/168

Patched

no patched versions

Description

Keys::next() uses ptr::read to move out the Option<V> by value, which drops the contained V when V is non-Copy (e.g. String). This leaves a dangling value in the map's storage slot. Subsequent get() operations on that key return a dangling reference to already-freed memory.

This can be triggered through safe public APIs — Map::keys(), Keys::next(), and Map::get() — with no unsafe required from the caller. Under Miri, accessing the freed slot produces "Undefined Behavior: pointer not dereferenceable: alloc has been freed, so this pointer is dangling".

Advisory available under CC0-1.0 license.