CVE-2026-25541
Published: 04 February 2026
Summary
CVE-2026-25541 is a high-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Tokio-Rs Bytes. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of the integer overflow/UB in the bytes library directly enables T1190 (public-facing app compromise leading to crash) and T1499.004 (adversary-triggered application exploitation for DoS).
NVD Description
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an…
more
unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1.
Deeper analysisAI
CVE-2026-25541 is an integer overflow vulnerability in the Bytes utility library for working with bytes, maintained by tokio-rs. It affects versions from 1.2.1 up to but not including 1.11.1, specifically in the BytesMut::reserve function within the unique reclaim path. The condition "v_capacity >= new_cap + offset" performs an unchecked addition that can overflow usize in release builds, causing the check to incorrectly pass and self.cap to be set beyond the actual allocated capacity. Subsequent APIs, such as spare_capacity_mut(), then rely on this corrupted capacity value, potentially producing out-of-bounds slices and leading to undefined behavior (UB). This differs from debug builds, which panic on overflow due to checks, while release builds exhibit wrapping behavior.
Remote attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.5 (High) under CWE-680. The impact is confined to high availability disruption (A:H) with no effects on confidentiality or integrity (C:N/I:N) and unchanged scope (S:U). Triggering the overflow results in UB, which in release builds of affected Rust applications could cause crashes, memory corruption, or other denial-of-service conditions.
The vulnerability has been patched in Bytes version 1.11.1. Mitigation involves updating to this version or later. Official resources include the GitHub security advisory at https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r, RustSec advisory RUSTSEC-2026-0007 at https://rustsec.org/advisories/RUSTSEC-2026-0007.html, the fixing commit at https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f, and release notes at https://github.com/tokio-rs/bytes/releases/tag/v1.11.1.
Details
- CWE(s)