Intel

AIKIDO-2026-673528

tinyvec is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

39

Low Risk

This Affects:

RUSTtinyvec
1.9.0 - 1.11.0
Fixed in 1.11.1
Are you affected? Scan for Free

TL;DR

The borsh BorshDeserialize implementation for TinyVec reads an attacker-controlled length prefix and passes it straight to with_capacity, eagerly preallocating memory before a single element is read. A hostile length value forces a huge allocation that can exhaust memory and abort the process, causing a denial of service. The fix adds a cautious_capacity helper that caps the initial reservation to a small byte budget and lets the container grow via push as real elements arrive. The same cap is applied to the bin-proto decode and serde sequence size-hint allocation paths.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and deserialize untrusted borsh input into a TinyVec.

Background info

tinyvec is vulnerable to Uncontrolled Resource Consumption in versions 1.9.0 - 1.11.0.

How to fix this

Upgrade the tinyvec library to the patch version.