{"id":"RUSTSEC-2026-0131","summary":"Double-free in `Chomp::inner()`","details":"`Chomp::inner()` uses `std::ptr::read_unaligned` to move out the value from a\nraw pointer. If the original value is an owned type (e.g. `Box`), calling\n`inner()` moves out the ownership, but the original variable will still be\ndropped at the end of its scope. This causes the same heap memory to be freed\ntwice, resulting in a double-free and undefined behavior.\n\nThis can be triggered through safe public APIs — `Chomp::new()` and\n`Chomp::inner()` — with no `unsafe` required from the caller.","modified":"2026-05-13T12:45:12.022837Z","published":"2026-05-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/bitchomp"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0131.html"},{"type":"REPORT","url":"https://github.com/KingPEPSALT/bitchomp/issues/5"}],"affected":[{"package":{"name":"bitchomp","ecosystem":"crates.io","purl":"pkg:cargo/bitchomp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0131.json","categories":["memory-corruption"],"cvss":null,"informational":"unsound"}}],"schema_version":"1.7.5"}