{"id":"RUSTSEC-2026-0156","summary":"Bad-free in `MetaCallException::new`","details":"`exception_struct` is a local stack variable, but the code passes its address to the C language as `&mut exception_struct as *mut _ as *mut c_void`. Then, the returned `MetaCallException` value is stored here:\n```rust\nOk(Self {\n    exception_struct: Arc::new(exception_struct),\n    value: exception_ptr,\n    leak: false,\n})\n```\nBecause leak is false, the destructor will run later. But the original exception pointer points to Rust stack memory.\n\n## Trigger\n\n```rust\n#[test]\nfn exception_bad_free_safe_api() {\n    let original = metacall::MetaCallException::new(\n        \"test\",\n        \"test\",\n        \"test\",\n        1,\n    );\n\n    drop(original); // AddressSanitizer: bad-free\n}\n```\n\n## Impact\n\nEvery time the `MetaCallException` is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API `MetaCallException::new()`, with no `unsafe` required from the caller.","modified":"2026-06-03T10:45:04.175671146Z","published":"2026-06-01T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/metacall"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0156.html"},{"type":"REPORT","url":"https://github.com/metacall/core/issues/809"}],"affected":[{"package":{"name":"metacall","ecosystem":"crates.io","purl":"pkg:cargo/metacall"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"functions":[],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0156.json","informational":null,"categories":["memory-corruption"],"cvss":null}}],"schema_version":"1.7.5"}