—

RUSTSEC-2026-0013

Type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature targeting Python 3.12 and up

Details

PyO3 0.28.1 added support for `#[pyclass(extends=PyList)] struct NativeSub` (and other native types) when targeting Python 3.12 and up with the `abi3` feature.

It was discovered that subclasses of such classes would use the type of the subclass when attempting to access to data of `NativeSub` contained within Python objects, amounting to memory corruption.

PyO3 0.28.2 fixed the issue by using the type of (e.g.) `NativeSub` correctly.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / pyo3

Introduced in: 0.28.0 Fixed in: 0.28.2

Upgrade pyo3 to 0.28.2 or newer (ecosystem crates.io).

References

https://crates.io/crates/pyo3 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0013.html [ADVISORY]
https://github.com/PyO3/pyo3/pull/5807#issuecomment-3913251784 [WEB]