RUSTSEC-2026-0007

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0007

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0007.json

JSON Data

https://api.test.osv.dev/v1/vulns/RUSTSEC-2026-0007

Aliases

Published

2026-02-03T12:00:00Z

Modified

2026-02-04T06:56:11Z

Summary

Integer overflow in `BytesMut::reserve`

Details

In the unique reclaim path of BytesMut::reserve, the condition

if v_capacity >= new_cap + offset

uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.

This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.

PoC

use bytes::*;

fn main() {
    let mut a = BytesMut::from(&b"hello world"[..]);
    let mut b = a.split_off(5);

    // Ensure b becomes the unique owner of the backing storage
    drop(a);

    // Trigger overflow in new_cap + offset inside reserve
    b.reserve(usize::MAX - 6);

    // This call relies on the corrupted cap and may cause UB & HBO
    b.put_u8(b'h');
}

Workarounds

Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.

Database specific

{
    "license": "CC-BY-4.0"
}

References

Affected packages

crates.io / bytes

Package

Name: bytes; View open source insights on deps.dev
Purl: pkg:cargo/bytes

Affected ranges

Type: SEMVER
Events: Introduced

1.2.1

Fixed

1.11.1

Ecosystem specific

{
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    },
    "affected_functions": null
}