bytes is vulnerable to Double Free
30
Low Risk
In Bytes and BytesMut, the internal reference-counted Shared structure is built by constructing it directly inside Box::new, so the Shared value takes ownership of the existing buffer before the heap allocation completes. If that allocation unwinds via a panic, which is possible when the global allocator is configured to panic instead of abort on allocation failure, the partially constructed Shared and the original owner are both dropped and free the same buffer, causing a double free. This affects the From<Vec> conversion, Bytes::shallow_clone_vec, and BytesMut::promote_to_shared. The fix allocates uninitialized memory first with MaybeUninit and only writes the Shared value after the allocation succeeds, so no partially initialized data is dropped on unwinding.
You are affected if you are using a version that falls within the vulnerable range and your application configures a custom global allocator that panics rather than aborts on allocation failure.
bytes is vulnerable to Double Free in versions 0.4.0 - 1.12.0.
Upgrade the bytes library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant