{"id":"RUSTSEC-2026-0143","summary":"Double-free in `vmem` storage reachable from safe Rust","details":"When the `vmem` feature is enabled, `VmemStorage\u003cT\u003e::new(Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e)` (and every public constructor that funnels through it — `ConcurrentHeapRB::default(cap)`, `ConcurrentHeapRB::from(Vec\u003cT\u003e)`, `From\u003cBox\u003c[T]\u003e\u003e`, etc.) bit-copies the input buffer into a freshly `mmap`'d region with `ptr::copy_nonoverlapping`, then lets the source `Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e` drop normally.\n\nBecause `UnsafeSyncCell\u003cT\u003e` has a `Drop` impl that runs `assume_init_drop` on its inner `MaybeUninit\u003cT\u003e`, the source-side `T` values are dropped at the end of `new`, while bitwise duplicates (carrying the same heap pointers for `String`, `Box`, `Vec`, `Arc`, …) remain inside the mmap region. When the ring buffer is later destructed, the destructor's `drop_in_place` over the slice runs `UnsafeSyncCell::drop` a second time on every cell — a deterministic double-free of every heap-owning element. Reachable from 100% safe Rust.\n\n## Trigger\n\n```rust\nlet v: Vec\u003cVec\u003cu32\u003e\u003e = (0..1024).map(|i| vec![i, i+1, i+2]).collect();\nlet rb: oneringbuf::SharedVmemRB\u003cVec\u003cu32\u003e\u003e = oneringbuf::SharedVmemRB::from(v);\ndrop(rb);\n// glibc: free(): double free detected in tcache 2 -\u003e abort\n// ASan: AddressSanitizer: attempting double-free\n```\n\nAny `T` with a non-trivial `Drop` reproduces deterministically.\n\n## Fix\n\nFixed in `0.7.1` via upstream PR [skilvingr/rust-oneringbuf#3](https://github.com/skilvingr/rust-oneringbuf/pull/3), which deallocates the source `Box\u003c[UnsafeSyncCell\u003cT\u003e]\u003e` without running per-element `Drop` after the bytes have been copied into the mmap region. Vulnerable versions (`\u003c 0.7.1`) have been yanked from crates.io.","modified":"2026-05-14T21:30:09.004866Z","published":"2026-05-14T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/oneringbuf"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0143.html"},{"type":"WEB","url":"https://github.com/skilvingr/rust-oneringbuf/pull/3"}],"affected":[{"package":{"name":"oneringbuf","ecosystem":"crates.io","purl":"pkg:cargo/oneringbuf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.7.1"}]}],"ecosystem_specific":{"affects":{"functions":["oneringbuf::VmemStorage::new"],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0143.json","cvss":null,"categories":["memory-corruption"]}}],"schema_version":"1.7.5"}