rustsec-2026-0156
Vulnerability from osv_rustsec
Published
2026-06-01 12:00
Modified
2026-06-03 10:42
Summary
Bad-free in `MetaCallException::new`
Details
exception_struct is a local stack variable, but the code passes its address to the C language as &mut exception_struct as *mut _ as *mut c_void. Then, the returned MetaCallException value is stored here:
Ok(Self {
exception_struct: Arc::new(exception_struct),
value: exception_ptr,
leak: false,
})
Because leak is false, the destructor will run later. But the original exception pointer points to Rust stack memory.
Trigger
#[test]
fn exception_bad_free_safe_api() {
let original = metacall::MetaCallException::new(
"test",
"test",
"test",
1,
);
drop(original); // AddressSanitizer: bad-free
}
Impact
Every time the MetaCallException is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API MetaCallException::new(), with no unsafe required from the caller.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "metacall",
"purl": "pkg:cargo/metacall"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`exception_struct` is a local stack variable, but the code passes its address to the C language as `\u0026mut exception_struct as *mut _ as *mut c_void`. Then, the returned `MetaCallException` value is stored here:\n```rust\nOk(Self {\n exception_struct: Arc::new(exception_struct),\n value: exception_ptr,\n leak: false,\n})\n```\nBecause leak is false, the destructor will run later. But the original exception pointer points to Rust stack memory.\n\n## Trigger\n\n```rust\n#[test]\nfn exception_bad_free_safe_api() {\n let original = metacall::MetaCallException::new(\n \"test\",\n \"test\",\n \"test\",\n 1,\n );\n\n drop(original); // AddressSanitizer: bad-free\n}\n```\n\n## Impact\n\nEvery time the `MetaCallException` is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API `MetaCallException::new()`, with no `unsafe` required from the caller.",
"id": "RUSTSEC-2026-0156",
"modified": "2026-06-03T10:42:03Z",
"published": "2026-06-01T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/metacall"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0156.html"
},
{
"type": "REPORT",
"url": "https://github.com/metacall/core/issues/809"
}
],
"related": [],
"severity": [],
"summary": "Bad-free in `MetaCallException::new`"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…