VYPR
← All advisories
Medium severityOSV Advisory· Published Aug 11, 2025· Updated Apr 15, 2026

CVE-2025-55159

CVE-2025-55159

Description

slab is a pre-allocated storage for a uniform data type. In version 0.4.10, the get_disjoint_mut method incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. This has been fixed in slab 0.4.11. A workaround for this issue involves to avoid using get_disjoint_mut with indices that might be beyond the slab's actual length.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In slab 0.4.10, `get_disjoint_mut` checks capacity instead of length, enabling out-of-bounds memory access and undefined behavior.

Vulnerability

Overview

The get_disjoint_mut method in the slab crate (version 0.4.10) performs an incorrect bounds check when validating user-provided indices. Specifically, it checks whether indices fall within the slab's allocated *capacity*, rather than the actual number of initialized elements (*length*). This allows an attacker or a malicious caller to access uninitialized memory regions that are within capacity but beyond the slab's length [1][4].

Exploitation

Details

To exploit this vulnerability, an attacker must be able to pass indices to get_disjoint_mut that lie between the slab's current length and its capacity. The attack requires no special privileges beyond the ability to invoke the affected method on a slab where the capacity exceeds the length. Because the bug is in the bounds-checking logic, no authentication is needed—any code path that uses get_disjoint_mut with untrusted or attacker-controlled indices could trigger the issue [1][3].

Impact

Successful exploitation results in access to uninitialized memory, which constitutes undefined behavior in Rust. This can lead to memory corruption, information disclosure (reading sensitive data from uninitialized regions), or application crashes. The severity is medium because exploitation requires the slab to have unused capacity and for the caller to supply indices beyond the length [2][4].

Mitigation

The issue is fixed in slab version 0.4.11, which corrects the bounds check to verify indices against the slab's length. Users should update to at least 0.4.11. As a workaround, avoid using get_disjoint_mut with indices that might exceed the slab's actual length [1][4].

References
  1. Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
  2. NVD - CVE-2025-55159
  3. Fix `get_disjoint_mut` error condition by mox692 · Pull Request #152 · tokio-rs/slab
  4. Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check › RustSec Advisory Database

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
slabcrates.io
>= 0.4.10, < 0.4.110.4.11

Affected products

2
  • Tokio Rs/SlabOSV2 versions
    v0.4.10+ 1 more
    • (no CPE)range: v0.4.10
    • (no CPE)range: <=0.4.10

Patches

2
2e5779f8eb31

Release v0.4.11 (#153)

https://github.com/tokio-rs/slabAlice RyhlAug 8, 2025via osv
commit
2 files changed · +5 1
  • Cargo.toml+1 1 modified
    @@ -6,7 +6,7 @@ name = "slab"
 #   - README.md
 # - Update CHANGELOG.md
 # - Create git tag
-version = "0.4.10"
+version = "0.4.11"
 authors = ["Carl Lerche <me@carllerche.com>"]
 edition = "2018"
 rust-version = "1.51"
  • CHANGELOG.md+4 0 modified
    @@ -1,3 +1,7 @@
+# 0.4.11 (August 8, 2025)
+
+* Fix `Slab::get_disjoint_mut` out of bounds (#152)
+
 # 0.4.10 (June 15, 2025)
 
 * Add `Slab::get_disjoint_mut` (#149)
2d65c514bc96

Fix get_disjoint_mut error condition (#152)

https://github.com/tokio-rs/slabMotoyuki KimuraAug 8, 2025via ghsa
commit
2 files changed · +16 2
  • src/lib.rs+3 2 modified
    @@ -823,13 +823,14 @@ impl<T> Slab<T> {
         }
 
         let entries_ptr = self.entries.as_mut_ptr();
-        let entries_cap = self.entries.capacity();
+        let entries_len = self.entries.len();
 
         let mut res = MaybeUninit::<[&mut T; N]>::uninit();
         let res_ptr = res.as_mut_ptr() as *mut &mut T;
 
         for (i, &key) in keys.iter().enumerate() {
-            if key >= entries_cap {
+            // `key` won't be greater than `entries_len`.
+            if key >= entries_len {
                 return Err(GetDisjointMutError::IndexOutOfBounds);
             }
             // SAFETY: we made sure above that this key is in bounds.
  • tests/slab.rs+13 0 modified
    @@ -767,3 +767,16 @@ fn get_disjoint_mut() {
     assert_eq!(slab[0], 4);
     assert_eq!(slab[4], 0);
 }
+
+#[test]
+fn get_disjoint_mut_out_of_bounds_index_error() {
+    let mut slab: Slab<i32> = Slab::with_capacity(10);
+    slab.insert(1);
+    slab.insert(2);
+
+    // Index 0 and 1 are valid, but index 5 is out of bounds (beyond len)
+    assert_eq!(
+        slab.get_disjoint_mut([0, 1, 5]),
+        Err(GetDisjointMutError::IndexOutOfBounds)
+    );
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.