Wasmtime GitHub notifications bot (Feb 14 2026 at 00:17): Wasmtime GitHub notifications bot (Feb 14 2026 at 00:17):github-actions[bot] opened issue #12592:
Integer overflow in
BytesMut::reserve
Details Package bytesVersion 1.10.1URL https://github.com/advisories/GHSA-434x-w66g-qw3r Date 2026-02-03 Patched versions >=1.11.1Unaffected versions <1.2.1In the unique reclaim path of
BytesMut::reserve, the conditionif v_capacity >= new_cap + offsetuses an unchecked addition. When
new_cap + offsetoverflowsusizein release builds, this condition may incorrectly pass, causingself.capto be set to a value that exceeds the actual allocated capacity. Subsequent APIs such asspare_capacity_mut()then trust this corruptedcapvalue and may create out-of-bounds slices, leading to UB.This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*; fn main() { let mut a = BytesMut::from(&b"hello world"[..]); let mut b = a.split_off(5); // Ensure b becomes the unique owner of the backing storage drop(a); // Trigger overflow in new_cap + offset inside reserve b.reserve(usize::MAX - 6); // This call relies on the corrupted cap and may cause UB & HBO b.put_u8(b'h'); }Workarounds
Users of
BytesMut::reserveare only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.See advisory page for additional details.
Wasmtime GitHub notifications bot (Feb 14 2026 at 02:29):alexcrichton closed issue #12592:
Integer overflow in
BytesMut::reserve
Details Package bytesVersion 1.10.1URL https://github.com/advisories/GHSA-434x-w66g-qw3r Date 2026-02-03 Patched versions >=1.11.1Unaffected versions <1.2.1In the unique reclaim path of
BytesMut::reserve, the conditionif v_capacity >= new_cap + offsetuses an unchecked addition. When
new_cap + offsetoverflowsusizein release builds, this condition may incorrectly pass, causingself.capto be set to a value that exceeds the actual allocated capacity. Subsequent APIs such asspare_capacity_mut()then trust this corruptedcapvalue and may create out-of-bounds slices, leading to UB.This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*; fn main() { let mut a = BytesMut::from(&b"hello world"[..]); let mut b = a.split_off(5); // Ensure b becomes the unique owner of the backing storage drop(a); // Trigger overflow in new_cap + offset inside reserve b.reserve(usize::MAX - 6); // This call relies on the corrupted cap and may cause UB & HBO b.put_u8(b'h'); }Workarounds
Users of
BytesMut::reserveare only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.See advisory page for additional details.
Last updated: Feb 24 2026 at 04:36 UTC