CVE-2026-44983: smallbitvec: Integer overflow in safe API leads to heap buffer overflow

May 9, 2026

An integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller.

References

github.com/advisories/GHSA-97wc-2hqc-cjgr
github.com/servo/smallbitvec
github.com/servo/smallbitvec/security/advisories/GHSA-97wc-2hqc-cjgr
nvd.nist.gov/vuln/detail/CVE-2026-44983

Code Behaviors & Features

Detect and mitigate CVE-2026-44983 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →