GHSA-VFVV-C25P-M7MM rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution

InlineVec::clear and SerVec::clear in rkyv were not panic-safe. Both functions iterate over their elements and call dropinplace on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocati...

rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution

InlineVec::clear and SerVec::clear in rkyv were not panic-safe. Both functions iterate over their elements and call dropinplace on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocati...

[SECURITY] Fedora 42 Update: rust-rkyv0.7-0.7.46-1.fc42

Zero-copy deserialization framework for Rust...

[SECURITY] Fedora 42 Update: rust-rkyv_derive0.7-0.7.46-1.fc42

Derive macro for rkyv...

[SECURITY] Fedora 43 Update: rust-rkyv_derive0.7-0.7.46-1.fc43

Derive macro for rkyv...

Fedora 43 : rust-rkyv0.7 / rust-rkyv_derive0.7 (2026-35d1dee2ab)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-35d1dee2ab advisory. https://rustsec.org/advisories/RUSTSEC-2026-0001 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

Fedora: Security Advisory (FEDORA-2026-35d1dee2ab)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 44 : rust-rkyv0.7 / rust-rkyv_derive0.7 (2026-f08ea66b23)

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-f08ea66b23 advisory. https://rustsec.org/advisories/RUSTSEC-2026-0001 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

CVE-2021-31919

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...

RUSTSEC-2026-0001 Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

The SharedPointer::alloc implementation for sync::Arc and rc::Rc in rkyv/src/impls/alloc/rc/atomic.rs and rc.rs does not check if the allocator returns a null pointer on OOM Out of Memory. This null pointer can flow through to SharedPointer::fromvalue, which calls Box::fromrawptr with the null...

acme-compilers (>=0.2.2 <=0.2.4), acvm (>=0.23.0 <=0.26.1) +285 more potentially affected by unknown CVE via rkyv (>=0.1.1 <=0.7.45)

rkyv CARGO version =0.1.1, =0.2.2, =0.23.0, =0.23.0, =0.0.1, =0.2.0, =0.39.0, =0.23.0, =0.26.1 - cairn-import-geonames =0.0.2-alpha - cairn-import-oa =0.0.2-alpha - cairn-import-osm =0.0.2-alpha - cairn-import-wof =0.0.2-alpha and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-00...

PT-2026-3079

The SharedPointer::alloc implementation for sync::Arc and rc::Rc in rkyv/src/impls/alloc/rc/atomic.rs and rc.rs does not check if the allocator returns a null pointer on OOM Out of Memory. This null pointer can flow through to SharedPointer::from value, which calls Box::from rawptr with the null...

Bincode is unmaintained

Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently. The team considers version 1.3.3 a complete version of bincode that is not in need of any updates. Alternatives to consider wincode postcard bitcode rkyv...

RUSTSEC-2025-0141 Bincode is unmaintained

Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently. The team considers version 1.3.3 a complete version of bincode that is not in need of any updates. Alternatives to consider wincode postcard bitcode rkyv...

EUVD-2021-1908

Malware in sbrugna...

Use of uninitialized buffer in rkyv

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...

rkyv_dyn (>=0.1.0 <=0.5.1), stackstring (=0.0.2) +12 more potentially affected by CVE-2021-31919 via rkyv (>=0.1.1 <=0.5.2)

rkyv CARGO version =0.1.1, =0.1.0, =0.1.1, =0.1.2, =0.1.0, =0.9.0, =0.9.0, =0.9.0, =0.8.0, =0.1.0, =0.9.0, =0.1.0, =0.1.0, =0.1.0, =0.1.5 Source cves: CVE-2021-31919 Source advisory: OSV:GHSA-W5CR-FRPH-HW7F...

GHSA-W5CR-FRPH-HW7F Use of uninitialized buffer in rkyv

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...

Unspecified Vulnerability in Rust (CNVD-2021-38316)

Rust is a general-purpose, compiled programming language from the Mozilla Foundation. A security vulnerability exists in Rust rkyv crate versions prior to 0.6.0, which stems from the fact that when an archive is created via serialization, the contents of the archive may contain uninitialized valu...

CVE-2021-31919

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...