Intel

AIKIDO-2026-540556

bytes is vulnerable to Double Free

Double Free Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

30

Low Risk

This Affects:

RUSTbytes
0.4.0 - 1.12.0
Fixed in 1.12.1
Are you affected? Scan for Free

TL;DR

In Bytes and BytesMut, the internal reference-counted Shared structure is built by constructing it directly inside Box::new, so the Shared value takes ownership of the existing buffer before the heap allocation completes. If that allocation unwinds via a panic, which is possible when the global allocator is configured to panic instead of abort on allocation failure, the partially constructed Shared and the original owner are both dropped and free the same buffer, causing a double free. This affects the From<Vec> conversion, Bytes::shallow_clone_vec, and BytesMut::promote_to_shared. The fix allocates uninitialized memory first with MaybeUninit and only writes the Shared value after the allocation succeeds, so no partially initialized data is dropped on unwinding.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application configures a custom global allocator that panics rather than aborts on allocation failure.

Background info

bytes is vulnerable to Double Free in versions 0.4.0 - 1.12.0.

How to fix this

Upgrade the bytes library to the patch version.