Lib.rs

SliceRingBuffer › Reviews
RUSTSEC-2025-0044 on 2025-06-16: Four unique double-free vulnerabilities triggered via safe APIs

The crate slice-ring-buffer was developed as a fork of slice-deque to continue maintenance and provide security patches, since the latter has been officially unmaintained (RUSTSEC-2020-0158).

While slice-ring-buffer has addressed some previously reported memory safety issues inherited from its fork origin (RUSTSEC-2021-0047), it still retains multiple unresolved memory corruption vulnerabilities.

Specifically, we have discovered four new memory safety bugs, each resulting in double-free violations that can occur when only safe APIs are invoked. These vulnerabilities correspond to four distinct safe APIs in the crate, each exposing unsound and vulnerable behavior due to incorrect usage of unsafe code internally.

Unfortunately, the maintainer doesn't have much availability to resolve these issues so there's no concrete timeline for fixes. Community contributions towards fixing these vulnerabilities would be much appreciated.

GHSA-7mcq-f592-pf7v

This review is from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

safe-to-run

This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open slice-ring-buffer. Alternatively, you can download the tarball of slice-ring-buffer v0.3.4 or view the source online.