{"id":"RUSTSEC-2026-0139","summary":"Null-pointer dereference and double-free via safe APIs","details":"Two soundness violations exist in the Rust bindings for MetaCall:\n\n**Null-pointer dereference:** `MetaCallFuture::new_raw()` accepts a raw\npointer without validation. The `Debug` impl calls `Box::from_raw(self.data)`\non it. Passing a null pointer causes the `Debug` impl to construct a\n`NonNull` from null, producing undefined behavior.\n\n**Double-free:** `MetaCallPointer::clone()` shares the same `rust_value` raw\npointer between the clone and the original. Calling `get_value_untyped()` on\nboth clones calls `Box::from_raw` on the same pointer twice, resulting in a\ndouble-free.\n\nBoth issues can be triggered through safe public APIs —\n`MetaCallFuture::new_raw()`, `MetaCallPointer::new()`, `clone()`, and\n`get_value_untyped()` — with no `unsafe` required from the caller.","modified":"2026-05-13T15:00:15.670790Z","published":"2026-05-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/metacall"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0139.html"},{"type":"REPORT","url":"https://github.com/metacall/core/issues/618"}],"affected":[{"package":{"name":"metacall","ecosystem":"crates.io","purl":"pkg:cargo/metacall"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"categories":["memory-corruption"],"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0139.json","cvss":null}}],"schema_version":"1.7.5"}