rustsec-2026-0176
Vulnerability from osv_rustsec
PyO3 0.24.0 added optimized implementations of Iterator::nth and
DoubleEndedIterator::nth_back for the BoundListIterator and
BoundTupleIterator types. These implementations computed the target index
using unchecked usize addition (index + n) before bounds-checking against
the sequence length, then read the element via get_item_unchecked.
In nth methods, a sufficiently large n (combined with a non-zero internal
index) could cause the addition to overflow and wrap around, producing a small
"target index" that passed the bounds check and enabling reads at the front
of the list or tuple of elements previously yielded by the iterator.
In nth_back methods, a sufficiently large n could cause underflow in a
similar fashion, however would instead allow reads of arbitrary memory past
the end of the list or tuple storage.
PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [
"memory-exposure"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"pyo3::types::list::BoundListIterator::nth",
"pyo3::types::list::BoundListIterator::nth_back",
"pyo3::types::tuple::BoundTupleIterator::nth",
"pyo3::types::tuple::BoundTupleIterator::nth_back"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "pyo3",
"purl": "pkg:cargo/pyo3"
},
"ranges": [
{
"events": [
{
"introduced": "0.24.0"
},
{
"fixed": "0.29.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-36hh-v3qg-5jq4"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "PyO3 0.24.0 added optimized implementations of `Iterator::nth` and\n`DoubleEndedIterator::nth_back` for the `BoundListIterator` and\n`BoundTupleIterator` types. These implementations computed the target index\nusing unchecked `usize` addition (`index + n`) before bounds-checking against\nthe sequence length, then read the element via `get_item_unchecked`.\n\nIn `nth` methods, a sufficiently large `n` (combined with a non-zero internal\nindex) could cause the addition to overflow and wrap around, producing a small\n\"target index\" that passed the bounds check and enabling reads at the front\nof the `list` or `tuple` of elements previously yielded by the iterator.\n\nIn `nth_back` methods, a sufficiently large `n` could cause underflow in a\nsimilar fashion, however would instead allow reads of arbitrary memory past\nthe end of the `list` or `tuple` storage.\n\nPyO3 0.29.0 has corrected these methods to use checked arithmetic at the\npositions which could be at risk of overflow.",
"id": "RUSTSEC-2026-0176",
"modified": "2026-06-13T06:16:34Z",
"published": "2026-06-11T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/pyo3"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0176.html"
},
{
"type": "WEB",
"url": "https://github.com/PyO3/pyo3/pull/6086"
}
],
"related": [],
"severity": [],
"summary": "Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.