RUSTSEC-2026-0139

Null-pointer dereference and double-free via safe APIs

Reported

May 2, 2026

Issued

May 13, 2026

Package

metacall (crates.io)

Type

INFO Unsound

Categories

memory-corruption

Keywords

#double-free #null-pointer #undefined-behavior

References

https://github.com/metacall/core/issues/618

Patched

no patched versions

Description

Two soundness violations exist in the Rust bindings for MetaCall:

Null-pointer dereference: MetaCallFuture::new_raw() accepts a raw pointer without validation. The Debug impl calls Box::from_raw(self.data) on it. Passing a null pointer causes the Debug impl to construct a NonNull from null, producing undefined behavior.

Double-free: MetaCallPointer::clone() shares the same rust_value raw pointer between the clone and the original. Calling get_value_untyped() on both clones calls Box::from_raw on the same pointer twice, resulting in a double-free.

Both issues can be triggered through safe public APIs — MetaCallFuture::new_raw(), MetaCallPointer::new(), clone(), and get_value_untyped() — with no unsafe required from the caller.

Advisory available under CC0-1.0 license.