CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-Q95X-7G78-RCCV

GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 8, 2026·7 min read·4 visits

Executive Summary (TL;DR)

A public API design flaw in the oneringbuf crate allows safe Rust code to trigger a heap Use-After-Free and Double Free via premature deallocation of shared heap-backed ring buffers.

A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.

Vulnerability Overview

The oneringbuf crate is a Rust-based collection of ring buffer implementations supporting stack-allocated, heap-allocated, and virtual-memory-backed storage. In versions prior to 0.8.0, the library exposed a public trait IntoRef with an associated method into_ref. This method permitted consumers to convert ring buffers into reference-like wrapper structures, such as DroppableRef for heap-backed storage, which was intended to simplify reference management.

The primary attack surface is the public API of the crate. By exposing IntoRef::into_ref, the API enabled downstream consumers to construct DroppableRef handles. The DroppableRef type wrapped raw pointers to heap-allocated buffers but did not properly track its active references. This configuration violates the Rust memory-safety model by exposing unsafe raw pointer operations through a fully safe public API.

Consequently, an unauthenticated local or remote attacker could trigger memory corruption, including Use-After-Free (UAF) or Double Free conditions, if they can control execution paths that utilize this API. The vulnerability belongs to the CWE-416 (Use After Free) class, leading to potential denial of service or arbitrary code execution depending on how the application processes or retrieves the affected buffers.

Root Cause Analysis

The root cause of the vulnerability lies in the interaction between the public IntoRef::into_ref trait method and the implementation of the Clone and Drop traits on the DroppableRef wrapper. When a heap-backed ring buffer such as LocalHeapRB or any buffer utilizing HeapStorage or VmemStorage is converted into a reference via into_ref, a DroppableRef wrapper is created. This wrapper encapsulates a raw pointer of type NonNull<B> pointing to the underlying heap buffer.

The DroppableRef struct implements the Clone trait. However, its cloning mechanism is flawed because it performs a trivial copy of the internal NonNull raw pointer. It does not increment any central reference counter or the crate's internal iterator state tracking (alive_iters). This results in multiple DroppableRef instances pointing to the exact same memory address, each unaware of the existence of the other clones.

The Drop implementation of DroppableRef is responsible for freeing the backing heap allocation when it is no longer needed. To do this, it invokes Box::from_raw on the internal raw pointer once its tracking indicates no more iterators are active. Because cloning the reference wrapper bypasses the reference tracking mechanisms, dropping the first cloned wrapper prematurely triggers deallocation. The other active wrappers are left pointing to deallocated memory, forming dangling pointers. Any subsequent drop or access operation on these dangling pointers results in a Use-After-Free or a Double Free.

Code Analysis

The following diagram illustrates the relationship between the cloned wrappers and the backing heap allocation, leading to the Use-After-Free condition:

Prior to version 0.8.0, the IntoRef trait in src/ring_buffer/wrappers/refs/mod.rs was defined as follows:

pub trait IntoRef {
    type TargetRef: BufRef<Buffer = Self>;
 
    // Vulnerable: Public method allowing safe construction of reference wrappers
    fn into_ref(s: Self) -> Self::TargetRef;
}

This allowed user code to invoke into_ref safely. The trait was implemented for heap-backed storage in src/ring_buffer/impls.rs:

#[cfg(feature = "alloc")]
impl<T, I: IterComponent> IntoRef for OneRingBuf<HeapStorage<T>, I> {
    type TargetRef = DroppableRef<Self>;
 
    // Vulnerable: Safely wraps the structure into DroppableRef
    fn into_ref(s: Self) -> Self::TargetRef {
        DroppableRef::from(s)
    }
}

The patch introduced in commit 643a24b30914068416dff9021a069c12c865a316 resolved this by completely stripping the into_ref method from the public trait interface:

// Patched version of IntoRef in src/ring_buffer/wrappers/refs/mod.rs
pub trait IntoRef {
    type TargetRef: BufRef<Buffer = Self>;
    // The into_ref method is completely removed
}

Similarly, the implementations of IntoRef in src/ring_buffer/impls.rs were updated to remove the definitions of into_ref. Because the method no longer exists, downstream safe Rust code can no longer instantiate DroppableRef or NonDroppableRef objects directly, mitigating the risk of incorrect cloning and premature deallocation.

Exploitation Methodology

Exploiting this vulnerability does not require any specific unsafe block in downstream code. Because the vulnerable methods were marked as safe public functions, an application developer could inadvertently write standard Rust code that causes memory corruption. The prerequisite is that the target application must instantiate a heap-backed ring buffer, call the IntoRef::into_ref method, clone the resulting reference wrapper, and allow the original reference to go out of scope or explicitly drop it.

A functional proof-of-concept demonstrating the flaw is presented below. In this scenario, we initialize a LocalHeapRB buffer, obtain a wrapper r, clone it twice (r2 and r3), and then drop the instances in sequence:

use oneringbuf::{IntoRef, LocalHeapRB};
 
fn main() {
    // Initialize heap-backed ring buffer
    let rb = LocalHeapRB::<usize>::from(vec![1, 2, 3]);
 
    // Create initial DroppableRef wrapper via safe API
    let r = <LocalHeapRB<usize> as IntoRef>::into_ref(rb);
    
    // Clone the wrapper, copying the raw pointer without updating reference counters
    let r2 = r.clone();
    let r3 = r.clone();
 
    // Dropping the original wrapper reclaims the backing storage using Box::from_raw
    drop(r);
 
    // Dropping r2 accesses/manipulates the deallocated storage
    drop(r2);
 
    // Dropping r3 attempts to reclaim the already deallocated heap block (Double Free)
    drop(r3); 
}

When this program is compiled and executed under AddressSanitizer (ASan), it immediately halts execution with a heap Use-After-Free diagnostic during the destruction of r2 or r3. If compiled under standard release configurations without sanitizers, the execution state becomes unpredictable, leading to heap corruption that could be manipulated for control flow hijack or denial of service depending on the allocator configuration.

Impact Assessment

The impact of this vulnerability is critical for any application relying on the memory safety guarantees of the Rust programming language. Because the vulnerability allows safe Rust code to trigger raw pointer deallocation, it bypasses the compiler's compile-time borrow checker checks. Consequently, applications that expose endpoints consuming or manipulating user-controlled input within these ring buffers may be vulnerable to remote exploits.

If an attacker can control the contents or timing of the deallocated heap space (heap spraying), they may be able to replace the deallocated OneRingBuf structure with malicious payloads. This could lead to arbitrary code execution within the context of the running application process. If code execution is not achieved, the vulnerability reliably causes application crashes, creating a vector for localized or remote Denial of Service (DoS).

The CVSS v4.0 base score is evaluated at 6.3 (Medium). This indicates that while the vulnerability represents a significant memory safety violation, exploitation is restricted by the requirement that the target program must actively employ the into_ref method of the oneringbuf crate. No active exploitation has been detected in the wild.

Remediation and Fix Completeness

The recommended remediation is to upgrade the oneringbuf crate dependency to version 0.8.0 or higher. This version completely eliminates the into_ref method from the public trait, which prevents the instantiation of the unsafe wrappers by external code.

We assess this fix as complete for downstream safe Rust consumers. By removing the public API entrypoint, the maintainer has enforced compile-time safety. Downstream code will fail to compile if it attempts to call into_ref. There are no alternative safe paths in the crate that expose DroppableRef or NonDroppableRef to external callers.

For deployments where immediate upgrading is not viable, developers should audit their codebases to ensure that IntoRef::into_ref is never called. If the trait method is used, it should be refactored to utilize native Rust borrowing mechanisms (such as standard references & or &mut, or standard smart pointers like Rc or Arc) instead of the crate's custom reference wrappers.

Official Patches

SkilfingrOfficial patch commit removing into_ref

Fix Analysis (1)

Technical Appendix

CVSS Score
6.3/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Systems

oneringbuf (Rust crate)

Affected Versions Detail

Product
Affected Versions
Fixed Version
oneringbuf
Skilfingr
< 0.8.00.8.0
AttributeDetail
CWE IDCWE-416 (Use After Free)
Attack VectorNetwork
Attack ComplexityLow
Attack RequirementsPresent (Application using specific public API)
CVSS v4.06.3 (Medium)
Exploit StatusProof-of-Concept Available
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1203Exploitation for Client Execution
Execution
T1190Exploit Public-Facing Application
Initial Access
T1499Endpoint Denial of Service
Impact
CWE-416
Use After Free

The product references memory after it has been freed, which can lead to a crash, unexpected values, or code execution.

Vulnerability Timeline

Vulnerability reported by Athanasios Trispiotis
2026-05-27
Bug fixed in commit 643a24b3 and oneringbuf version 0.8.0 was released
2026-05-27
RustSec Advisory RUSTSEC-2026-0152 was issued
2026-06-01
GitHub Advisory GHSA-Q95X-7G78-RCCV was published
2026-07-08

References & Sources

  • [1]GitHub Security Advisory GHSA-q95x-7g78-rccv
  • [2]RustSec Advisory RUSTSEC-2026-0152
  • [3]Source Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
3 views•5 min read
•about 2 hours ago•CVE-2026-49471
8.3

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Alon Barad
Alon Barad
6 views•5 min read
•about 2 hours ago•GHSA-MXWC-WH95-PW4G
5.3

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 16 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
71 views•5 min read
•about 16 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
26 views•6 min read
•about 21 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read