{"id":"RUSTSEC-2026-0152","summary":"Use-after-free","details":"Affected versions of `oneringbuf` exposed the obsolete `IntoRef::into_ref` method through the public `IntoRef` trait. For heap-backed ring buffers, this method returned a `DroppableRef` handle.\n\n`DroppableRef` stored an owning raw pointer created from `Box::into_raw`. Its `Clone` implementation copied this raw pointer without incrementing the internal `alive_iters` counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial `alive_iters` value. However, exposing `DroppableRef` through the public `IntoRef::TargetRef` associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. `Drop` later dereferenced the pointer and could free the backing allocation with `Box::from_raw`.\n\nSafe code could call `IntoRef::into_ref` to obtain a `DroppableRef` and then clone it. Each clone pointed to the same allocation, but the internal `alive_iters` counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.\n\nThe issue was fixed in version 0.8.0 by removing the obsolete `into_ref` method.\n\n## Trigger\n\n```rust\nuse oneringbuf::{IntoRef, LocalHeapRB};\n\nfn main() {\n    let rb = LocalHeapRB::\u003cusize\u003e::from(vec![1, 2, 3]);\n\n    let r = \u003cLocalHeapRB\u003cusize\u003e as IntoRef\u003e::into_ref(rb);\n    let r2 = r.clone();\n    let r3 = r.clone();\n\n    drop(r);\n    drop(r2);\n    drop(r3); // AddressSanitizer: heap-use-after-free\n}\n```","modified":"2026-06-01T13:30:04.518300114Z","published":"2026-05-27T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/oneringbuf"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0152.html"},{"type":"WEB","url":"https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316"},{"type":"WEB","url":"https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316"}],"affected":[{"package":{"name":"oneringbuf","ecosystem":"crates.io","purl":"pkg:cargo/oneringbuf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.8.0"}]}],"ecosystem_specific":{"affects":{"os":[],"arch":[],"functions":[]},"affected_functions":null},"database_specific":{"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0152.json","categories":["memory-corruption"]}}],"schema_version":"1.7.5"}