NULL Pointer Dereference Affecting rkyv package, versions <0.7.46>=0.8.0 <0.8.13
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-RKYV-14894358
- published7 Jan 2026
- disclosed5 Jan 2026
- creditUnknown
Introduced: 5 Jan 2026
CVE NOT AVAILABLE CWE-476 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade rkyv to version 0.7.46, 0.8.13 or higher.
Overview
rkyv is a zero-copy deserialization framework for Rust.
Affected versions of this package are vulnerable to NULL Pointer Dereference due to improper handling of null pointers returned by the allocator in the SharedPointer::alloc process. An attacker can cause undefined behavior and potentially execute arbitrary code or crash the application by triggering an out-of-memory condition during the allocation of shared pointers, which leads to dereferencing a null pointer through safe deserialization APIs.