Access of Resource Using Incompatible Type ('Type Confusion') Affecting pyo3 package, versions >=0.28.0 <0.28.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Access of Resource Using Incompatible Type ('Type Confusion') vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-PYO3-15324283
- published20 Feb 2026
- disclosed19 Feb 2026
- creditUnknown
Introduced: 19 Feb 2026
New CVE NOT AVAILABLE CWE-843 (opens in a new tab)How to fix?
Upgrade pyo3 to version 0.28.2 or higher.
Overview
pyo3 is a package that provides Rust bindings for Python. This includes running and interacting with Python code from a Rust binary, as well as writing native Python modules.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the #[pyclass(extends=PyList)] struct NativeSub support in the abi3 feature. An attacker can cause memory corruption by creating specially crafted subclass hierarchies that trigger type confusion during data access.
Note:
Versions 0.28.0 and 0.28.1 where support for NativeSub was added were removed from package registry.