Reported

June 20, 2026

Issued

June 22, 2026

Package

memmap2 (crates.io)

Type

INFO Unsound

Keywords

#pointer-arithmetic #out-of-bounds

References

• https://github.com/RazrFalcon/memmap2-rs/issues/169
• https://github.com/RazrFalcon/memmap2-rs/pull/170

Patched

• >=0.9.11

Affected Functions

Version

memmap2::Mmap::advise_range

• >=0.5.9
• <0.9.11

memmap2::Mmap::unchecked_advise_range

• >=0.8.0
• <0.9.11

memmap2::MmapMut::advise_range

• >=0.5.9
• <0.9.11

memmap2::MmapMut::flush_async_range

• <0.9.11

memmap2::MmapMut::flush_range

• <0.9.11

memmap2::MmapMut::unchecked_advise_range

• >=0.8.0
• <0.9.11

Description

Affected versionf of memmap2 did not perform enough validation on the offset and len parameters of Mmap::[unchecked_]advise_range(), MmapMut::[unchecked_]advise_ranage() and MmapMut::flush[_async]_range().

This can cause undefined behavior due to invalid values being passed to pointer::offset() and pointer::add() when passing an out-of-bounds range to any of the affected functions.

The flaw was corrected in commit [cee7cf0] and released in version 0.9.11.

The invalid pointer is not dereferenced, but it is passed to the madvise and msync syscalls and their Windows equivalents.

[cee7cf0] https://github.com/RazrFalcon/memmap2-rs/pull/170/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c

Advisory available under CC0-1.0 license.