{"id":"RUSTSEC-2026-0001","summary":"Potential Undefined Behaviors in `Arc\u003cT\u003e`/`Rc\u003cT\u003e` impls of `from_value` on OOM","details":"The `SharedPointer::alloc` implementation for `sync::Arc\u003cT\u003e` and `rc::Rc\u003cT\u003e` in `rkyv/src/impls/alloc/rc/atomic.rs` (and `rc.rs`) does not check if the allocator returns a null pointer on OOM (Out of Memory).\n\nThis null pointer can flow through to `SharedPointer::from_value`, which calls `Box::from_raw(ptr)` with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as `rkyv::from_bytes` or `rkyv::deserialize_using`) if an OOM condition occurs during the allocation of the shared pointer.\n\nThe issue is reachable through safe code and violates Rust's safety guarantees.","modified":"2026-01-06T15:50:23.269686Z","published":"2026-01-05T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rkyv"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0001.html"},{"type":"REPORT","url":"https://github.com/rkyv/rkyv/issues/644"}],"affected":[{"package":{"name":"rkyv","ecosystem":"crates.io","purl":"pkg:cargo/rkyv"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.7.46"},{"introduced":"0.8.0"},{"fixed":"0.8.13"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0001.json","categories":["memory-corruption"],"informational":null}}],"schema_version":"1.7.3"}