Skip to content

RUSTSEC-2026-0205: Array::insert violates exception safety if compare function panics, leading to potential Double-Free #6

Description

@github-actions

Array::insert violates exception safety if compare function panics, leading to potential Double-Free

Details
Status unsound
Package scc
Version 2.4.0
URL https://codeberg.org/wvwwvwwv/scalable-concurrent-containers/issues/232
Date 2026-07-06

In affected versions of this crate, Array::insert is not exception safe. In the UPSERT path, key and value's snapshot is written to self.data_block, and after the insertion is completed, key and value are mem::forget in order to prevent double free. However, during the insertion, K::compare is invoked, which is a user-provided method. If user deliberately call panic in this function, during unwinding, the destructors of key, value, and self will all be called (since the mem::forget has not been called yet), leading to Double Free. Similar issues happens in the !UPSERT path.

The soundness issue was fixed in version 3.8.4 by using ManuallyDrop instead of mem::forget, and separating fallible code from infallible code during a node split - insert = insert_try -> insert_unchecked.

See advisory page for additional details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions