GHSA-5W5R-MF82-595P
Vulnerability from github – Published: 2026-01-28 16:06 – Updated: 2026-01-28 16:06
VLAI?
Summary
Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema
Details
The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.
Reader::get
pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
// ...
// UNSAFE: access `words` without validation
}
StructSchema::new
pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
// ...
// UNSAFE: access encoded nodes without validation
}
This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.
The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "capnp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T16:06:09Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The safe API functions `constant::Reader::get` and `StructSchema::new` rely on `PointerReader::get_root_unchecked`, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.\n\n## `Reader::get`\n\n```rust\npub fn get(\u0026self) -\u003e Result\u003c\u003cT as Owned\u003e::Reader\u003c\u0027static\u003e\u003e {\n // ...\n // UNSAFE: access `words` without validation\n}\n```\n\n## `StructSchema::new`\n\n```rust\npub fn new(builder: RawBrandedStructSchema) -\u003e StructSchema {\n // ...\n // UNSAFE: access encoded nodes without validation\n}\n```\n\nThis vulnerability allows safe Rust code to trigger UB, which violates Rust\u0027s safety guarantees.\n\nThe issue is resolved in version `0.24.0` by making constructor functions unsafe and mark the fields of struct as visible only in the crate.",
"id": "GHSA-5w5r-mf82-595p",
"modified": "2026-01-28T16:06:09Z",
"published": "2026-01-28T16:06:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/issues/605"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/commit/7b981f4c75a975c80444cd38729bcdf12bf3eabf"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/commit/e3aeec213e6d1b30a182bf61682a370f20d8a02c"
},
{
"type": "PACKAGE",
"url": "https://github.com/capnproto/capnproto-rust"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0143.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cap\u0027n Proto has Undefined Behavior in constant::Reader and StructSchema"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…