rustsec-2026-0143
Vulnerability from osv_rustsec
Published
2026-05-14 12:00
Modified
2026-05-14 21:26
Summary
Double-free in `vmem` storage reachable from safe Rust
Details

When the vmem feature is enabled, VmemStorage<T>::new(Box<[UnsafeSyncCell<T>]>) (and every public constructor that funnels through it — ConcurrentHeapRB::default(cap), ConcurrentHeapRB::from(Vec<T>), From<Box<[T]>>, etc.) bit-copies the input buffer into a freshly mmap'd region with ptr::copy_nonoverlapping, then lets the source Box<[UnsafeSyncCell<T>]> drop normally.

Because UnsafeSyncCell<T> has a Drop impl that runs assume_init_drop on its inner MaybeUninit<T>, the source-side T values are dropped at the end of new, while bitwise duplicates (carrying the same heap pointers for String, Box, Vec, Arc, …) remain inside the mmap region. When the ring buffer is later destructed, the destructor's drop_in_place over the slice runs UnsafeSyncCell::drop a second time on every cell — a deterministic double-free of every heap-owning element. Reachable from 100% safe Rust.

Trigger

let v: Vec<Vec<u32>> = (0..1024).map(|i| vec![i, i+1, i+2]).collect();
let rb: oneringbuf::SharedVmemRB<Vec<u32>> = oneringbuf::SharedVmemRB::from(v);
drop(rb);
// glibc: free(): double free detected in tcache 2 -> abort
// ASan: AddressSanitizer: attempting double-free

Any T with a non-trivial Drop reproduces deterministically.

Fix

Fixed in 0.7.1 via upstream PR skilvingr/rust-oneringbuf#3, which deallocates the source Box<[UnsafeSyncCell<T>]> without running per-element Drop after the bytes have been copied into the mmap region. Vulnerable versions (< 0.7.1) have been yanked from crates.io.

References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "oneringbuf::VmemStorage::new"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "oneringbuf",
        "purl": "pkg:cargo/oneringbuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.7.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "When the `vmem` feature is enabled, `VmemStorage\u003cT\u003e::new(Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e)` (and every public constructor that funnels through it \u2014 `ConcurrentHeapRB::default(cap)`, `ConcurrentHeapRB::from(Vec\u003cT\u003e)`, `From\u003cBox\u003c[T]\u003e\u003e`, etc.) bit-copies the input buffer into a freshly `mmap`\u0027d region with `ptr::copy_nonoverlapping`, then lets the source `Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e` drop normally.\n\nBecause `UnsafeSyncCell\u003cT\u003e` has a `Drop` impl that runs `assume_init_drop` on its inner `MaybeUninit\u003cT\u003e`, the source-side `T` values are dropped at the end of `new`, while bitwise duplicates (carrying the same heap pointers for `String`, `Box`, `Vec`, `Arc`, \u2026) remain inside the mmap region. When the ring buffer is later destructed, the destructor\u0027s `drop_in_place` over the slice runs `UnsafeSyncCell::drop` a second time on every cell \u2014 a deterministic double-free of every heap-owning element. Reachable from 100% safe Rust.\n\n## Trigger\n\n```rust\nlet v: Vec\u003cVec\u003cu32\u003e\u003e = (0..1024).map(|i| vec![i, i+1, i+2]).collect();\nlet rb: oneringbuf::SharedVmemRB\u003cVec\u003cu32\u003e\u003e = oneringbuf::SharedVmemRB::from(v);\ndrop(rb);\n// glibc: free(): double free detected in tcache 2 -\u003e abort\n// ASan: AddressSanitizer: attempting double-free\n```\n\nAny `T` with a non-trivial `Drop` reproduces deterministically.\n\n## Fix\n\nFixed in `0.7.1` via upstream PR [skilvingr/rust-oneringbuf#3](https://github.com/skilvingr/rust-oneringbuf/pull/3), which deallocates the source `Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e` without running per-element `Drop` after the bytes have been copied into the mmap region. Vulnerable versions (`\u003c 0.7.1`) have been yanked from crates.io.",
  "id": "RUSTSEC-2026-0143",
  "modified": "2026-05-14T21:26:19Z",
  "published": "2026-05-14T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/oneringbuf"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0143.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skilvingr/rust-oneringbuf/pull/3"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Double-free in `vmem` storage reachable from safe Rust"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.