—

RUSTSEC-2026-0191

`EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic

Details

Affected versions of `solana_rbpf` expose the safe method `EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by casting `self` to `*mut u64` and applying a randomized offset derived from `get_runtime_environment_key()`.

The resulting pointer arithmetic is performed with `ptr::offset`, which requires the computed pointer to remain within the same allocation. In practice, the randomized offset can move the pointer far outside the allocation containing the `EbpfVm`, causing undefined behavior before the supplied builtin function is invoked.

## Unmaintained

The upstream `solana_rbpf` repository is archived, and no patched version of this crate is currently available.

Users should migrate to the maintained [`solana-sbpf`](https://crates.io/crates/solana-sbpf) crate. The issue has been fixed there in [`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / solana_rbpf

Introduced in: 0.8.0

No fixed version published yet for solana_rbpf. Pin to a known-safe version or switch to an alternative.

References

https://crates.io/crates/solana_rbpf [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0191.html [ADVISORY]
https://github.com/solana-labs/rbpf [WEB]
https://github.com/anza-xyz/sbpf/pull/151 [WEB]
https://crates.io/crates/solana-sbpf [PACKAGE]