CVE-2026-25541

N/A Unknown

📋 TL;DR

This vulnerability in the Bytes library allows integer overflow in the BytesMut::reserve function, which can cause memory corruption and out-of-bounds memory access. Applications using vulnerable versions of the Bytes library (1.2.1 through 1.11.0) in Rust projects are affected, particularly when running in release mode where integer overflow wraps instead of panicking.

💻 Affected Systems

Products:
  • tokio-rs/bytes library
Versions: 1.2.1 through 1.11.0
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects release builds where integer overflow wraps; debug builds panic on overflow. Applications must use BytesMut::reserve or related APIs.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, denial of service, or data leakage through out-of-bounds memory access.

🟠

Likely Case

Application crashes, memory corruption, or undefined behavior leading to denial of service.

🟢

If Mitigated

Limited impact if running in debug mode (which panics on overflow) or with proper memory safety controls.

🌐 Internet-Facing: MEDIUM - Depends on how the vulnerable library is used in internet-facing services; could lead to service disruption.
🏢 Internal Only: MEDIUM - Internal applications could experience crashes or memory corruption affecting business operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires triggering the specific integer overflow condition in BytesMut::reserve, which depends on application usage patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.1

Vendor Advisory: https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify bytes = "^1.11.1" or higher. 2. Run 'cargo update' to fetch the patched version. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Run in debug mode

all

Debug builds panic on integer overflow instead of wrapping, preventing the vulnerability from being triggered.

cargo build
cargo run

Pin to safe version

all

Force dependency resolution to use a safe version of bytes library.

cargo update -p bytes --precise 1.11.1

🧯 If You Can't Patch

  • Run applications in debug mode where possible to trigger panic on overflow
  • Implement additional memory safety checks in application code using the bytes library

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep bytes' to see if bytes version is between 1.2.1 and 1.11.0.

Check Version:

cargo tree | grep bytes

Verify Fix Applied:

Verify bytes version is 1.11.1 or higher in Cargo.lock with 'cargo tree | grep bytes'.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected panics in release builds
  • Memory corruption errors

Network Indicators:

  • Sudden service unavailability
  • Increased error rates in HTTP responses

SIEM Query:

Search for application logs containing 'panicked at', 'memory access violation', or 'out of bounds' errors from Rust applications.

📊 Metadata

CVE ID: CVE-2026-25541
CVSS v3 Score: N/A (Unknown)
CWE: CWE-680
Published: February 4, 2026
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25541, you might also want to check these:

CVE-2025-32023 7.0

This CVE describes a memory corruption vulnerability in Redis hyperloglog operations that allows aut...

Same vulnerability type (CWE-680)
CVE-2026-24928 5.8

This CVE describes an out-of-bounds write vulnerability in a file system module that could allow att...

Same vulnerability type (CWE-680)