RUSTSEC-2026-0152
Use-after-free
Details
Affected versions of `oneringbuf` exposed the obsolete `IntoRef::into_ref` method through the public `IntoRef` trait. For heap-backed ring buffers, this method returned a `DroppableRef` handle.
`DroppableRef` stored an owning raw pointer created from `Box::into_raw`. Its `Clone` implementation copied this raw pointer without incrementing the internal `alive_iters` counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial `alive_iters` value. However, exposing `DroppableRef` through the public `IntoRef::TargetRef` associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. `Drop` later dereferenced the pointer and could free the backing allocation with `Box::from_raw`.
Safe code could call `IntoRef::into_ref` to obtain a `DroppableRef` and then clone it. Each clone pointed to the same allocation, but the internal `alive_iters` counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.
The issue was fixed in version 0.8.0 by removing the obsolete `into_ref` method.
## Trigger
```rust use oneringbuf::{IntoRef, LocalHeapRB};
fn main() { let rb = LocalHeapRB::<usize>::from(vec![1, 2, 3]);
let r = <LocalHeapRB<usize> as IntoRef>::into_ref(rb); let r2 = r.clone(); let r3 = r.clone();
drop(r); drop(r2); drop(r3); // AddressSanitizer: heap-use-after-free } ```
Are you affected?
Enter the version of the package you're using.
Affected packages
0.0.0-0 Fixed in: 0.8.0 Upgrade oneringbuf to 0.8.0 or newer (ecosystem crates.io).
References
- https://crates.io/crates/oneringbuf [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2026-0152.html [ADVISORY]
- https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316 [WEB]
- https://github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316 [WEB]