Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. oneringbuf
  4. ›
  5. GHSA-q95x-7g78-rccv

GHSA-q95x-7g78-rccv: OneRingBuf has a Use After Free Vulnerability

July 8, 2026

Affected versions of oneringbuf exposed the obsolete IntoRef::into_ref method through the public IntoRef trait. For heap-backed ring buffers, this method returned a DroppableRef handle.

DroppableRef stored an owning raw pointer created from Box::into_raw. Its Clone implementation copied this raw pointer without incrementing the internal alive_iters counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial alive_iters value. However, exposing DroppableRef through the public IntoRef::TargetRef associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. Drop later dereferenced the pointer and could free the backing allocation with Box::from_raw.

Safe code could call IntoRef::into_ref to obtain a DroppableRef and then clone it. Each clone pointed to the same allocation, but the internal alive_iters counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.

The issue was fixed in version 0.8.0 by removing the obsolete into_ref method.

References

  • github.com/advisories/GHSA-q95x-7g78-rccv
  • github.com/skilvingr/rust-oneringbuf/commit/643a24b30914068416dff9021a069c12c865a316
  • rustsec.org/advisories/RUSTSEC-2026-0152.html

Code Behaviors & Features

Detect and mitigate GHSA-q95x-7g78-rccv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.8.0

Fixed versions

  • 0.8.0

Solution

Upgrade to version 0.8.0 or above.

Impact 7.3 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Learn more about CVSS

Weakness

  • CWE-416: Use After Free

Source file

cargo/oneringbuf/GHSA-q95x-7g78-rccv.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 09 Jul 2026 12:20:20 +0000.