CVE-2026-55406 in buffainfo

Summary

by MITRE • 07/16/2026

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability described represents a critical soundness flaw in the buffa Rust crate that affected versions prior to 0.7.0, fundamentally undermining memory safety guarantees within the Rust ecosystem. This issue manifests through the improper handling of lifetimes and memory management in the OwnedView<V> type, which serves as a core component for Protocol Buffers implementation. The vulnerability arises from a transmutation operation that converts borrowed data into statically lifed references, creating a dangerous mismatch between runtime memory management and compile-time lifetime checking mechanisms.

The technical root cause lies in how the OwnedView::decode constructor performs a transmute operation from a borrowed slice to &'static [u8] type, while simultaneously exposing these promoted static references through the Deref implementation. This design flaw allows the borrow checker to incorrectly assume that references with 'static lifetime can outlive their actual data sources, when in reality they are merely borrowed slices that get dropped along with the OwnedView container. The Deref trait implementation specifically exposes these borrowed fields as &'static str and &'static [u8] types to external callers, creating a situation where safe Rust code can inadvertently create references to freed memory locations.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling information disclosure through access to freed heap contents that may contain sensitive data from previous allocations. The use-after-free condition created by this bug allows for cross-thread misuse scenarios where one thread might access memory that has already been deallocated by another thread, leading to unpredictable behavior and potential exploitation opportunities. This vulnerability is particularly dangerous because it requires no unsafe code in the calling application, making it accessible to developers who are following safe Rust practices while still exposing them to memory safety violations.

The fix implemented in version 0.7.0 addresses this fundamental soundness issue by correcting the lifetime handling and preventing the transmutation of borrowed slices into statically lifed references. This change ensures that references exposed through the Deref implementation properly respect the actual lifetime constraints of the underlying data, eliminating the possibility of dangling pointer dereferences. From a cybersecurity perspective, this vulnerability aligns with CWE-416 (Use After Free) and represents a classic example of how improper memory management in safe languages can still lead to exploitable conditions. The ATT&CK framework would categorize this as a memory corruption technique that leverages language-level abstractions to bypass traditional security controls, making it particularly insidious for applications relying on Rust's memory safety guarantees.

This vulnerability demonstrates the critical importance of careful lifetime management in Rust implementations, particularly when dealing with generic types and memory transmutes. The issue highlights how even seemingly benign operations like type conversions can create dangerous security implications when not properly constrained by Rust's ownership system. Developers should consider this as a prime example of why thorough testing and code review are essential for maintaining memory safety in systems that rely on complex generic abstractions, especially when implementing foundational libraries that other applications depend upon. The fix represents a necessary correction to ensure that Rust's type system can properly enforce memory safety constraints without allowing unintended lifetime extension through unsafe transmutation patterns.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!