—

RUSTSEC-2026-0176

Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

Details

PyO3 0.24.0 added optimized implementations of `Iterator::nth` and `DoubleEndedIterator::nth_back` for the `BoundListIterator` and `BoundTupleIterator` types. These implementations computed the target index using unchecked `usize` addition (`index + n`) before bounds-checking against the sequence length, then read the element via `get_item_unchecked`.

In `nth` methods, a sufficiently large `n` (combined with a non-zero internal index) could cause the addition to overflow and wrap around, producing a small "target index" that passed the bounds check and enabling reads at the front of the `list` or `tuple` of elements previously yielded by the iterator.

In `nth_back` methods, a sufficiently large `n` could cause underflow in a similar fashion, however would instead allow reads of arbitrary memory past the end of the `list` or `tuple` storage.

PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / pyo3

Introduced in: 0.24.0 Fixed in: 0.29.0

Upgrade pyo3 to 0.29.0 or newer (ecosystem crates.io).

References

https://crates.io/crates/pyo3 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0176.html [ADVISORY]
https://github.com/PyO3/pyo3/pull/6086 [WEB]