—

RUSTSEC-2026-0176

Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

상세

PyO3 0.24.0 added optimized implementations of `Iterator::nth` and `DoubleEndedIterator::nth_back` for the `BoundListIterator` and `BoundTupleIterator` types. These implementations computed the target index using unchecked `usize` addition (`index + n`) before bounds-checking against the sequence length, then read the element via `get_item_unchecked`.

In `nth` methods, a sufficiently large `n` (combined with a non-zero internal index) could cause the addition to overflow and wrap around, producing a small "target index" that passed the bounds check and enabling reads at the front of the `list` or `tuple` of elements previously yielded by the iterator.

In `nth_back` methods, a sufficiently large `n` could cause underflow in a similar fashion, however would instead allow reads of arbitrary memory past the end of the `list` or `tuple` storage.

PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / pyo3

최초 영향 버전: 0.24.0 수정 버전: 0.29.0

Upgrade pyo3 to 0.29.0 or newer (ecosystem crates.io).

참고

https://crates.io/crates/pyo3 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0176.html [ADVISORY]
https://github.com/PyO3/pyo3/pull/6086 [WEB]