Intel

AIKIDO-2026-548773

anyhow is vulnerable to Undefined Behavior

Undefined Behavior Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

25

Low Risk

This Affects:

RUSTanyhow
0.0.1 - 1.0.102
Fixed in 1.0.103
Are you affected? Scan for Free

TL;DR

The Error::downcast_mut method builds a mutable reference by reusing the object_downcast vtable path that was designed for immutable downcasting, computing the target address from a shared (&) reference and then coercing it into &mut. When an error is created with Error::context and later downcast via downcast_mut, writing through the returned reference violates Rust's aliasing rules and triggers undefined behavior (a Stacked Borrows violation confirmed by Miri). Depending on the compiler and program, this invalid retag can lead to memory corruption or miscompilation. The fix revises how the reference is constructed, using a raw pointer (ptr::addr_of!) instead of laundering through a shared reference so the resulting borrow chain no longer includes a shared reference.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application calls Error::downcast_mut on an error created with Error::context.

Background info

anyhow is vulnerable to Undefined Behavior in versions 0.0.1 - 1.0.102.

How to fix this

Upgrade the anyhow library to the patch version.