NULL Pointer Dereference Affecting rkyv package, versions <0.7.46>=0.8.0 <0.8.13
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-RKYV-14894358
- published7 Jan 2026
- disclosed5 Jan 2026
- creditUnknown
Introduced: 5 Jan 2026
New CVE NOT AVAILABLE CWE-476 (opens in a new tab)How to fix?
Upgrade rkyv to version 0.7.46, 0.8.13 or higher.
Overview
rkyv is a zero-copy deserialization framework for Rust.
Affected versions of this package are vulnerable to NULL Pointer Dereference due to improper handling of null pointers returned by the allocator in the SharedPointer::alloc process. An attacker can cause undefined behavior and potentially execute arbitrary code or crash the application by triggering an out-of-memory condition during the allocation of shared pointers, which leads to dereferencing a null pointer through safe deserialization APIs.