## Rust Crate 'bytes' Security Flaw: Unchecked Addition in `BytesMut::reserve` Could Trigger Memory Corruption (CVE-2026-25541) A critical memory safety vulnerability has been disclosed in the widely-used Rust crate `bytes`, allowing for potential out-of-bounds memory access and undefined behavior. The flaw, tracked as CVE-2026-25541, resides in the unique reclaim path of the `BytesMut::reserve` function. In release builds, an unchecked addition operation (`new_cap + offset`) can overflow a `usize` integer. This overflow may cause a critical condition check to incorrectly pass, corrupting the internal capacity (`self.cap`) field to a value larger than the actual allocated memory. This corrupted capacity value is then trusted by subsequent APIs, such as `spare_capacity_mut()`, which can create slices pointing to memory outside the bounds of the original allocation. The vulnerability is specific to release builds where integer overflow wraps around; debug builds with overflow checks will panic, making the bug observable but not exploitable. The security advisory from the `tokio-rs/bytes` repository provides a proof-of-concept demonstrating the issue, which stems from a logic error in capacity management during reclamation. The fix is included in version 1.11.1 of the `bytes` crate. This update patches the unsafe code path by ensuring the addition is checked or the condition is evaluated safely to prevent capacity corruption. Given the crate's foundational role in network programming and asynchronous I/O within the Rust ecosystem—particularly for projects using the Tokio runtime—this security update is urgent for maintaining memory safety guarantees. Developers are strongly advised to update their dependency from versions like 1.9.0 to the patched 1.11.1 release to mitigate the risk of memory corruption and subsequent undefined behavior in production applications. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: rust, memory-safety, cve, software-security, tokio - **Credibility**: unverified - **Published**: 2026-04-15 18:23:08 - **ID**: 66060 - **URL**: https://whisperx.ai/en/intel/66060