CVE-2026-25541 Overview
CVE-2026-25541 is an integer overflow vulnerability affecting the bytes crate, a widely-used utility library for working with byte data in Rust. The vulnerability exists in the BytesMut::reserve function from version 1.2.1 to versions before 1.11.1. This flaw can lead to memory corruption through an unchecked integer addition, potentially causing undefined behavior in applications compiled in release mode.
Critical Impact
In release builds, the integer overflow can cause out-of-bounds memory access through corrupted capacity values, potentially leading to application crashes or undefined behavior. Debug builds are protected by Rust's overflow checks.
Affected Products
- bytes crate versions 1.2.1 to 1.11.0
- Applications using BytesMut::reserve with large capacity values
- Rust projects compiled in release mode without overflow checks
Discovery Timeline
- February 4, 2026 - CVE CVE-2026-25541 published to NVD
- February 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-25541
Vulnerability Analysis
The vulnerability resides in the unique reclaim path of the BytesMut::reserve function. When attempting to reserve additional capacity, the function performs a condition check using v_capacity >= new_cap + offset. The critical issue is that the addition of new_cap + offset is performed without overflow checking.
In Rust release builds, integer overflow wraps around rather than panicking, which causes the condition to incorrectly evaluate to true when the sum exceeds usize::MAX. This results in self.cap being set to a value that exceeds the actual allocated memory capacity. Subsequent operations like spare_capacity_mut() rely on this corrupted capacity value and may create slices that extend beyond the allocated buffer, leading to undefined behavior including out-of-bounds reads and writes.
Root Cause
The root cause is CWE-680 (Integer Overflow to Buffer Overflow). The unchecked arithmetic operation new_cap + offset can overflow when both values are sufficiently large. In release builds where overflow checks are disabled for performance, this overflow wraps silently, corrupting the internal state of the BytesMut structure and breaking memory safety guarantees.
Attack Vector
This is a local attack vector requiring the attacker to influence the capacity values passed to BytesMut::reserve. An attacker who can control or influence the size parameter in applications that use the bytes crate could trigger this overflow condition. While exploitation requires specific conditions—large capacity values and release builds—the potential for memory corruption makes this a significant security concern for affected applications.
// Security patch in src/bytes_mut.rs
// Source: https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f
let offset = self.ptr.as_ptr().offset_from(ptr) as usize;
+ let new_cap_plus_offset = match new_cap.checked_add(offset) {
+ Some(new_cap_plus_offset) => new_cap_plus_offset,
+ None if !allocate => return false,
+ None => panic!("overflow"),
+ };
+
// Compare the condition in the `kind == KIND_VEC` case above
// for more details.
- if v_capacity >= new_cap + offset {
+ if v_capacity >= new_cap_plus_offset {
self.cap = new_cap;
// no copy is necessary
} else if v_capacity >= new_cap && offset >= len {
Detection Methods for CVE-2026-25541
Indicators of Compromise
- Unexpected application crashes in release builds when handling large byte buffers
- Memory corruption errors or segmentation faults in applications using the bytes crate
- Unusual memory access patterns detected by memory safety tools
Detection Strategies
- Audit Cargo.lock files for bytes crate versions between 1.2.1 and 1.10.x
- Run cargo audit to detect vulnerable dependencies using the RustSec advisory database
- Enable memory sanitizers (AddressSanitizer) during testing to detect out-of-bounds access
Monitoring Recommendations
- Implement continuous dependency scanning in CI/CD pipelines using tools like cargo-deny or cargo-audit
- Monitor application logs for unexpected panics or memory-related errors in release builds
- Use runtime monitoring tools to detect anomalous memory allocation patterns
How to Mitigate CVE-2026-25541
Immediate Actions Required
- Upgrade the bytes crate to version 1.11.1 or later immediately
- Review and update all projects using affected versions of the bytes crate
- Run dependency audits across all Rust projects to identify affected codebases
- Consider temporarily enabling overflow checks in release builds for critical applications
Patch Information
The vulnerability has been patched in version 1.11.1 of the bytes crate. The fix replaces the unchecked addition with checked_add(), which returns None on overflow. The patched code properly handles overflow conditions by either returning false (when not allocating) or panicking with a clear error message. For detailed patch information, see the GitHub Commit and the v1.11.1 Release Notes.
Workarounds
- Upgrade to bytes 1.11.1 as the primary remediation (no practical workaround for affected versions)
- Compile with debug assertions enabled to trigger panic on overflow: RUSTFLAGS="-C debug-assertions=yes"
- For applications that cannot immediately upgrade, consider input validation to limit capacity requests
# Configuration example - Update bytes crate version
# In Cargo.toml, ensure bytes version is updated:
# bytes = "1.11.1"
# Run cargo audit to verify no vulnerable dependencies
cargo audit
# Update dependencies to latest patched versions
cargo update -p bytes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
