Skip to content

Update rkyv to 0.8.13 (Security Fix) #767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
michalsidzej wants to merge 1 commit into from
Closed

Update rkyv to 0.8.13 (Security Fix) #767

michalsidzej wants to merge 1 commit into from

Conversation

@michalsidzej
Copy link

@michalsidzej michalsidzej commented Jan 5, 2026

Summary

This PR updates the rkyv dependency from 0.7.42 to 0.8.13 to address a security vulnerability.

Security Advisory

RUSTSEC-2026-0001: Potential Undefined Behavior in Arc<T>/Rc<T> impls of from_value on OOM

The vulnerability involves improper null pointer handling in allocation routines for shared pointer types. When memory allocation fails (OOM), the implementation fails to validate whether the allocator returned a null pointer, which then gets passed to Box::from_raw(), triggering undefined behavior. This can be exploited through safe deserialization APIs like rkyv::from_bytes.

Affected versions: < 0.8.13
Patched versions: >= 0.8.13

Changes

  • Bumped rkyv version from 0.7.42 to 0.8.13
  • Updated rkyv feature flags: size_32pointer_width_32
  • Updated rkyv-safe feature: rkyv/validationrkyv/bytecheck
  • Migrated to new rkyv 0.8 attribute syntax:
    • archive(...)rkyv(...)
    • archive_attr(derive(...))rkyv(derive(...))
    • archive(check_bytes)rkyv(bytecheck())
  • Updated test code to use new rkyv 0.8 API

Breaking Changes

None for consumers of this crate. The rkyv integration API remains the same.

@michalsidzej michalsidzej mentioned this pull request Jan 5, 2026
Closed
@Tony-Samuels
Copy link
Collaborator

Tony-Samuels commented Jan 5, 2026

This introduces a breaking change, and as such cannot be accepted into the v1 branch. rkyv 0.8 is not backwards compatible with rkyv 0.7 usage, so any usage of this crate with rkyv would break.

@Omega359
Copy link

Omega359 commented Jan 5, 2026

How do you plan on resolving the security vulnerability in rkyv if you won't accept the upgrade? This is breaking a number of downstream projects

@Tony-Samuels
Copy link
Collaborator

Tony-Samuels commented Jan 5, 2026
edited
Loading

  1. This vulnerability only impacts clients using an optional feature. That this is being flagged by audit systems is a bug in those systems.
  2. This breakage is in another crate, which can be asked to backport the fix.
  3. The only resolution method without an rkyv fix, is to remove support for rkyv 0.7, which this MR does but is a major breaking change for anyone relying on that feature.

I'm afraid our hands are tied here. I do know that a backport has already been requested of the rkyv team, so we'll have to wait for them to respond.

@Omega359 Omega359 mentioned this pull request Jan 5, 2026
Merged
@Tony-Samuels
Copy link
Collaborator

Tony-Samuels commented Jan 6, 2026

This has now been resolved by the rkyv team.

@michalsidzej
Copy link
Author

michalsidzej commented Jan 6, 2026

How do you plan on resolving the security vulnerability in rkyv if you won't accept the upgrade? This is breaking a number of downstream projects

theres already a new rkyv 7 version, just run cargo update -p rkyv https://crates.io/crates/rkyv/0.7.46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michalsidzej @Tony-Samuels @Omega359