RustSec Advisories

RUSTSEC-2026-0122: Unsoundness in rkyv

2026-05-11T12:00:00+00:00

RUSTSEC-2026-0122

Potential use-after-free due to lack of panic safety in InlineVec::clear and SerVec::clear

Reported

April 23, 2026

Issued

May 11, 2026

Package

rkyv (crates.io)

Type

INFO Unsound

Categories

Keywords

#panic-safety #memory-safety #use-after-free #double-free

References

https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb

Patched

>=0.8.16

Unaffected

<0.8.0

Description

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

Impact

CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T>
CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic

Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch_unwind is used.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0121: Vulnerability in steamworks

2026-05-06T12:00:00+00:00

RUSTSEC-2026-0121

Denial of service in Steamworks game clients/servers using P2P authentication

Reported

May 5, 2026

Issued

May 6, 2026

Package

steamworks (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#panic

References

https://github.com/Noxime/steamworks-rs/issues/321

Patched

>=0.13.1

Affected Functions

Version

steamworks::Client::process_callbacks

<0.13.1

steamworks::Client::register_callback

<0.13.1

steamworks::Server::begin_authentication_session

<0.13.1

steamworks::User::begin_authentication_session

<0.13.1

steamworks::ValidateAuthTicketResponse::from_raw

<0.13.1

Description

Processing the raw ValidateAuthTicketResponse_t callback data panics when the m_eAuthSessionResponse field is k_EAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the begin_authentication_session API to authenticate players if a malicious game client sends an authentication ticket with a network identity that does not match that of the verifier.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0119: Vulnerability in hickory-proto

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0119

CPU exhaustion during message encoding due to O(n²) name compression

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

hickory-proto (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#dns

Aliases

GHSA-q2qq-hmj6-3wpp

References

https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp

Related

CVE-2024-8508

Patched

>=0.26.1

Unaffected

<0.3.1

Description

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

We recommend all affected users update to hickory-proto 0.26.1 for the fix.

Advisory available under CC-BY-4.0 license. Source: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp

RUSTSEC-2026-0118: Vulnerability in hickory-proto

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0118

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

hickory-proto (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#dns #dnssec #nsec3

Aliases

GHSA-3v94-mw7p-v465

References

https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465

Patched

no patched versions

Unaffected

<0.25.0-alpha.3
>=0.26.0-beta.1

Description

The NSEC3 closest-encloser proof validation in hickory-proto's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA name. When the SOA in a response's authority section is not an ancestor of the QNAME, the loop stalls at the DNS root and never terminates, repeatedly calling Name::base_name() and pushing newly allocated Name and hashed-name entries into the candidate Vec.

The bug is reachable by any caller of DnssecDnsHandle — including the resolver, recursor, and client — when built with the dnssec-ring or dnssec-aws-lc-rs feature and configured to perform DNSSEC validation. It is triggered while validating a NoData or NXDomain response whose authority section contains an SOA record from a zone other than an ancestor of the QNAME, on a code path that requires NSEC3 closest-encloser proof. In practice this can be reached through an insecure CNAME chain that crosses zone boundaries into a DNSSEC-signed zone returning NoData, but the minimum condition is just a mismatched SOA owner on a response requiring NSEC3 validation.

A debug_assert_ne!(name, Name::root()) guards the loop body, so debug builds abort with a panic on the first iteration past the root. Release builds compile the assertion out and run the loop unbounded, allocating until the process exhausts available memory (OOM). A reachable upstream attacker who can return such a response can therefore crash a debug-built validator or exhaust memory on a release-built one.

The affected code was migrated from hickory-proto to hickory-net as part of the 0.26.0 release. The hickory-proto 0.26.x release no longer offers DnssecDnsHandle and so we recommend all affected users update to hickory-net 0.26.1 when the implementation of that type is required.

Advisory available under CC-BY-4.0 license. Source: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465

RUSTSEC-2026-0120: Vulnerability in hickory-net

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0120

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

hickory-net (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#dns #dnssec #nsec3

Aliases

GHSA-3v94-mw7p-v465

References

https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465

Patched

>=0.26.1

Description

The NSEC3 closest-encloser proof validation in hickory-net's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA name. When the SOA in a response's authority section is not an ancestor of the QNAME, the loop stalls at the DNS root and never terminates, repeatedly calling Name::base_name() and pushing newly allocated Name and hashed-name entries into the candidate Vec.

We recommend all affected users update to hickory-net 0.26.1 for the fix.

Advisory available under CC-BY-4.0 license. Source: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465

RUSTSEC-2026-0115: Unsoundness in imageproc

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0115

Fragile bounds check when sampling from image

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

imageproc (crates.io)

Type

INFO Unsound

Categories

memory-exposure

Keywords

#out-of-bounds-read #memory-safety

Aliases

GHSA-5qv7-j6w5-fr4m

Related

https://github.com/image-rs/imageproc/pull/778

Patched

>=0.24.1, <0.25.0
>=0.25.1, <0.26.0
>=0.26.2

Unaffected

<0.24

Affected Functions

Version

imageproc::binary_descriptors::brief

>=0.24.0

Description

A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and 'dimension - 1'. This would not protect against malicious inputs that could overflow the addition. . Subsequently to the tricked bounds check the image could then be sampled at multiple, differently calculated coordinates exceeding the bounds.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0116: Unsoundness in imageproc

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0116

Improper check of an invariant resulting in incorrect bounds checks

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

imageproc (crates.io)

Type

INFO Unsound

Categories

memory-exposure

Keywords

#out-of-bounds-read #memory-safety

Aliases

GHSA-w5p8-4jcx-2j6r

Related

https://github.com/image-rs/imageproc/pull/777

Patched

>=0.23.1, <0.24.0
>=0.24.1, <0.25.0
>=0.25.1, <0.26.0
>=0.26.2

Description

A bounds verification of a slice storage of a 2-dimensional matrix's coefficients (a kernel) would compare the total size against the product of individual dimensions. This would erroneously cast after the multiplication and consequently fail to detect possible violations when overflow occurs.

Afterwards, the individual sizes were trusted to properly constrain coordinates within the matrix to indices valid for the underlying storage. With a crafted Kernel object, certain combinations of coordinates could then cause an out-of-bounds access in an unsafe function while fulfilling its documented preconditions. The kernel value could be passed to library functions that trusted the preconditions and then performed such reads.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0117: Unsoundness in imageproc

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0117

Fragile bounds check when sampling from image

Reported

May 1, 2026

Issued

May 1, 2026 (last modified: May 7, 2026)

Package

imageproc (crates.io)

Type

INFO Unsound

Categories

memory-exposure

Keywords

#out-of-bounds-read #memory-safety

Aliases

GHSA-qg8r-f7x3-25f7

Patched

>=0.23.1, <0.24.0
>=0.24.1, <0.25.0
>=0.25.1, <0.26.0
>=0.26.2

Affected Functions

Version

imageproc::geometric_transformations::warp_into

>=0.23.0

imageproc::geometric_transformations::warp_into_with

>=0.23.0

Description

A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected projection matrix.

Carefully controlling the coordinates of an image with no data and one non-zero dimension provides an arbitrary read primitive in the first 32-bits of address space with a Bilinear sampling method.

Using bicubic sampling can result in a read of a few bytes beyond an allocation.

Other out-of-bounds reads may be possible.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0114: Vulnerability in wasmtime

2026-05-07T12:00:00+00:00

RUSTSEC-2026-0114

Panic when allocating a table exceeding the size of the host's address space

Reported

April 30, 2026

Issued

April 30, 2026 (last modified: May 7, 2026)

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Passive
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=36.0.8, <37.0.0
>=43.0.2, <44.0.0
>=44.0.1

Unaffected

<30.0.0

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0113: Vulnerability in astral-tokio-tar

2026-04-28T12:00:00+00:00

RUSTSEC-2026-0113

unpack_in can chmod arbitrary directories by following symlinks

Reported

April 27, 2026

Issued

April 28, 2026

Package

astral-tokio-tar (crates.io)

Type

Vulnerability

Categories

file-disclosure

Keywords

#tar #chmod

Aliases

GHSA-xx64-wwv2-hcqq

References

https://github.com/advisories/GHSA-xx64-wwv2-hcqq

Patched

>=0.6.1

Description

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Advisory available under CC0-1.0 license.