Source: rust-rkyv Version: 0.8.12-2 Severity: important Tags: security upstream Forwarded: https://github.com/rkyv/rkyv/issues/644 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
>From https://github.com/rkyv/rkyv/issues/644 https://rustsec.org/advisories/RUSTSEC-2026-0001.html | The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> | in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the | allocator returns a null pointer on OOM (Out of Memory). | | This null pointer can flow through to SharedPointer::from_value, which | calls Box::from_raw(ptr) with the null pointer. This triggers undefined | behavior when utilizing safe deserialization APIs (such as | rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs | during the allocation of the shared pointer. | | The issue is reachable through safe code and violates Rust's safety | guarantees. Regards, Salvatore
