CVE-2026-25541

EUVD-2026-5321
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
tokio-rsbytes
1.2.1 ≤
𝑥
< 1.11.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rust-bytes
bookworm
no-dsa
bullseye
0.4.12-1
fixed
forky
1.11.1-1
fixed
sid
1.11.1-1
fixed
trixie
no-dsa
Azure Linux logo
Azure Linux Releases
Azure Package
Release
azl-compliance
CBL-Mariner 2.0
0:1.0.2-3.cm2
fixed
kata-containers
Azure Linux 3.0
0:3.19.1.kata2-5.azl3
fixed
netavark
Azure Linux 3.0
0:1.10.3-7.azl3
fixed
rpm-ostree
Azure Linux 3.0
0:2024.4-8.azl3
fixed
rust
Azure Linux 3.0
0:1.75.0-27.azl3
fixed
CBL-Mariner 2.0
0:1.72.0-15.cm2
fixed
rust-afterburn
Azure Linux 3.0
0:5.8.2-2.azl3
fixed
trident
Azure Linux 3.0
0:0.22.0-1.azl3
fixed