VDB
EN

RUSTSEC-2026-0152

Use-after-free

상세

Affected versions of `oneringbuf` exposed the obsolete `IntoRef::into_ref` method through the public `IntoRef` trait. For heap-backed ring buffers, this method returned a `DroppableRef` handle.

`DroppableRef` stored an owning raw pointer created from `Box::into_raw`. Its `Clone` implementation copied this raw pointer without incrementing the internal `alive_iters` counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial `alive_iters` value. However, exposing `DroppableRef` through the public `IntoRef::TargetRef` associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. `Drop` later dereferenced the pointer and could free the backing allocation with `Box::from_raw`.

Safe code could call `IntoRef::into_ref` to obtain a `DroppableRef` and then clone it. Each clone pointed to the same allocation, but the internal `alive_iters` counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.

The issue was fixed in version 0.8.0 by removing the obsolete `into_ref` method.

## Trigger

```rust use oneringbuf::{IntoRef, LocalHeapRB};

fn main() { let rb = LocalHeapRB::<usize>::from(vec![1, 2, 3]);

let r = <LocalHeapRB<usize> as IntoRef>::into_ref(rb); let r2 = r.clone(); let r3 = r.clone();

drop(r); drop(r2); drop(r3); // AddressSanitizer: heap-use-after-free } ```

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / oneringbuf
최초 영향 버전: 0.0.0-0 수정 버전: 0.8.0

Upgrade oneringbuf to 0.8.0 or newer (ecosystem crates.io).

참고