{"id":"RUSTSEC-2026-0122","summary":"Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`","details":"`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe.\nBoth functions iterate over their elements and call `drop_in_place` on each,\nupdating `self.len` only *after* the loop. If an element's `Drop` implementation\npanics during the loop, `self.len` is left at its original value.\n\nA subsequent invocation of `clear()` on the same container then re-visits the\nalready-freed elements:\n\n- `InlineVec::clear()` is called again from `InlineVec`'s own `Drop`\n  implementation when the value is later dropped.\n- `SerVec::clear()` is called again by `SerVec::with_capacity()` after the\n  user closure returns.\n\n## Impact\n- **CWE-415 (Double Free):** heap corruption when the element type is one that\n  owns memory, such as `Box\u003cT\u003e` or `Vec\u003cT\u003e`\n- **CWE-416 (Use-After-Free):** memory corruption when an element is accessed\n  following a caught panic\n\nBoth types of undefined behavior can be invoked in safe Rust, but only if\nunwinding panics are enabled and `std::panic::catch_unwind` is used.","modified":"2026-05-11T14:00:23.369465Z","published":"2026-04-23T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rkyv"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0122.html"},{"type":"WEB","url":"https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb"}],"affected":[{"package":{"name":"rkyv","ecosystem":"crates.io","purl":"pkg:cargo/rkyv"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"},{"fixed":"0.8.16"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0122.json","informational":"unsound","cvss":null,"categories":["code-execution","memory-corruption"]}}],"schema_version":"1.7.5"}