Description
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integer overflow leading to memory corruption via out-of-bounds slices
Action: Patch
AI Analysis

Impact

Bytes, a Rust byte handling library, has an integer overflow flaw in its BytesMut::reserve function. The overflow occurs when the code adds the desired capacity and an offset together without bounds checking. In release builds this can wrap, allowing the condition that validates the new capacity to succeed incorrectly. As a result, the internal buffer length is set beyond the actual allocation. Subsequent operations that trust this corrupted value can create slices that read or write past the allocated memory, causing undefined behavior and potential memory corruption.

Affected Systems

The vulnerability affects tokio-rs/bytes library versions 1.2.1 through 1.11.0. All applications that compile against these versions are impacted; the fix was applied in release 1.11.1.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% implies a low likelihood of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply input that triggers the reserve method with a large offset, which is typically only possible within an application that adopts the unsafe path. The flaw manifests only in release builds; debug builds trigger a panic, so realistic exploitation is harder. Based on the description, it is inferred that the attack vector involves providing crafted input to the reserve method, but the specific details are not explicitly documented.

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tokio-rs/bytes to version 1.11.1 or later to obtain the integer‑overflow fix.
  • Ensure your Cargo.toml dependencies lock to a non‑vulnerable version, then rebuild all affected binaries.
  • If an immediate upgrade is not feasible, avoid using BytesMut::reserve or limit the capacity to a safe bound until the library is patched.

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-434x-w66g-qw3r bytes has integer overflow in BytesMut::reserve
History

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tokio-rs
Tokio-rs bytes
CPEs cpe:2.3:a:tokio-rs:bytes:*:*:*:*:*:rust:*:*
Vendors & Products Tokio-rs
Tokio-rs bytes
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Tokio
Tokio bytes
Vendors & Products Tokio
Tokio bytes

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1.
Title Bytes is vulnerable to integer overflow in BytesMut::reserve
Weaknesses CWE-680
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tokio Bytes
Tokio-rs Bytes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:13:34.031Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25541

cve-icon Vulnrichment

Updated: 2026-02-05T15:13:21.073Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:00.383

Modified: 2026-02-27T20:13:28.537

Link: CVE-2026-25541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses