rustsec-2026-0152
Vulnerability from osv_rustsec
Published
2026-05-27 12:00
Modified
2026-06-01 13:19
Summary
Use-after-free
Details

Affected versions of oneringbuf exposed the obsolete IntoRef::into_ref method through the public IntoRef trait. For heap-backed ring buffers, this method returned a DroppableRef handle.

DroppableRef stored an owning raw pointer created from Box::into_raw. Its Clone implementation copied this raw pointer without incrementing the internal alive_iters counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial alive_iters value. However, exposing DroppableRef through the public IntoRef::TargetRef associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. Drop later dereferenced the pointer and could free the backing allocation with Box::from_raw.

Safe code could call IntoRef::into_ref to obtain a DroppableRef and then clone it. Each clone pointed to the same allocation, but the internal alive_iters counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.

The issue was fixed in version 0.8.0 by removing the obsolete into_ref method.

Trigger

use oneringbuf::{IntoRef, LocalHeapRB};

fn main() {
    let rb = LocalHeapRB::<usize>::from(vec![1, 2, 3]);

    let r = <LocalHeapRB<usize> as IntoRef>::into_ref(rb);
    let r2 = r.clone();
    let r3 = r.clone();

    drop(r);
    drop(r2);
    drop(r3); // AddressSanitizer: heap-use-after-free
}
References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "oneringbuf",
        "purl": "pkg:cargo/oneringbuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of `oneringbuf` exposed the obsolete `IntoRef::into_ref` method through the public `IntoRef` trait. For heap-backed ring buffers, this method returned a `DroppableRef` handle.\n\n`DroppableRef` stored an owning raw pointer created from `Box::into_raw`. Its `Clone` implementation copied this raw pointer without incrementing the internal `alive_iters` counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial `alive_iters` value. However, exposing `DroppableRef` through the public `IntoRef::TargetRef` associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. `Drop` later dereferenced the pointer and could free the backing allocation with `Box::from_raw`.\n\nSafe code could call `IntoRef::into_ref` to obtain a `DroppableRef` and then clone it. Each clone pointed to the same allocation, but the internal `alive_iters` counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.\n\nThe issue was fixed in version 0.8.0 by removing the obsolete `into_ref` method.\n\n## Trigger\n\n```rust\nuse oneringbuf::{IntoRef, LocalHeapRB};\n\nfn main() {\n    let rb = LocalHeapRB::\u003cusize\u003e::from(vec![1, 2, 3]);\n\n    let r = \u003cLocalHeapRB\u003cusize\u003e as IntoRef\u003e::into_ref(rb);\n    let r2 = r.clone();\n    let r3 = r.clone();\n\n    drop(r);\n    drop(r2);\n    drop(r3); // AddressSanitizer: heap-use-after-free\n}\n```",
  "id": "RUSTSEC-2026-0152",
  "modified": "2026-06-01T13:19:35Z",
  "published": "2026-05-27T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/oneringbuf"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0152.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Use-after-free"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.