rustsec-2026-0157
Vulnerability from osv_rustsec
Published
2026-06-01 12:00
Modified
2026-06-03 10:42
Summary
Several memory corruption issues via safe APIs
Details

Several soundness violations exist in the Rust bindings for MetaCall, indicatively:

MetaCallException::Clone: Clone is dangerous because it creates a second Rust object that still points to the same foreign MetaCall value, but does not actually own or keep that value alive. value is shallow copied and leak=true does not guarantee safety; Clone does not free the MetaCall value, but it still stores the same raw pointer. If the original is dropped, the Clone can retain a dangling pointer.

MetaCallException::new_raw: is a safe function that accepts arbitrary raw pointer and dereferences C memory. This function is only correct if the caller gives it a valid, owned MetaCall value that must be destroyed by this wrapper. The method should be internal and not exposed to the public API or be declared as unsafe and be correctly documented.

Same issues exist in MetaCallThrowable::Clone, MetaCallThrowable::new_raw, MetaCallClass::Clone, MetaCallClass::new_raw, MetaCallFuture::Clone, MetaCallFuture::new_raw, MetaCallPointer::Clone, MetaCallPointer::new_raw, MetaCallFunction::Clone, MetaCallFunction::new_raw, MetaCallObject::Clone, and MetaCallObject::new_raw.

All issues can be triggered through safe public APIs.

References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "metacall",
        "purl": "pkg:cargo/metacall"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Several soundness violations exist in the Rust bindings for `MetaCall`, indicatively:\n\n**`MetaCallException::Clone`**: `Clone` is dangerous because it creates a second Rust object that still points to the same foreign `MetaCall` value, but does not actually own or keep that value alive. `value` is shallow copied and `leak=true` does not guarantee safety; `Clone` does not free the `MetaCall` value, but it still stores the same raw pointer. If the original is dropped, the `Clone` can retain a dangling pointer.\n\n**`MetaCallException::new_raw`**: is a safe function that accepts arbitrary raw pointer and dereferences C memory. This function is only correct if the caller gives it a valid, owned `MetaCall` value that must be destroyed by this wrapper. The method should be internal and not exposed to the public API or be declared as unsafe and be correctly documented.\n\nSame issues exist in `MetaCallThrowable::Clone`, `MetaCallThrowable::new_raw`, `MetaCallClass::Clone`, `MetaCallClass::new_raw`, `MetaCallFuture::Clone`, `MetaCallFuture::new_raw`, `MetaCallPointer::Clone`, `MetaCallPointer::new_raw`, `MetaCallFunction::Clone`, `MetaCallFunction::new_raw`, `MetaCallObject::Clone`, and `MetaCallObject::new_raw`. \n\nAll issues can be triggered through safe public APIs.",
  "id": "RUSTSEC-2026-0157",
  "modified": "2026-06-03T10:42:03Z",
  "published": "2026-06-01T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/metacall"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0157.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/metacall/core/issues/809"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Several memory corruption issues via safe APIs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.