GHSA-vfvv-c25p-m7mm: rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution

May 15, 2026

InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element’s Drop implementation panics during the loop, self.len is left at its original value.

A subsequent invocation of clear() on the same container then re-visits the already-freed elements:

InlineVec::clear() is called again from InlineVec’s own Drop implementation when the value is later dropped.
SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns.

References

Code Behaviors & Features

Detect and mitigate GHSA-vfvv-c25p-m7mm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →