slab: Improper bounds check in tokio-rs slab get_disjoint_mut leading to uninitialized memory access (CVE-2025-55159) #shorts
Summary
In this episode, we discuss CVE-2025-55159, a moderate memory safety issue in the Rust slab crate used by several projects including rust-keylime. The flaw allows out-of-bounds access to uninitialized memory, potentially causing undefined behavior or crashes. A fix is available in slab version 0.4.11, and major Linux distributions have already issued updates.
Product details
The vulnerability affects the slab crate from the Tokio ecosystem, specifically versions 0.4.10 up to but not including 0.4.11. SUSE issued an advisory for rust-keylime that bundles this library, and Fedora 41 and 42 have both updated rust-slab to 0.4.11 without requiring package rebuilds.
Vulnerability type summary
CVE-2025-55159 is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. It arises when code checks against a buffer’s capacity instead of its actual length, leading to potential out-of-bounds memory operations.
Details of the vulnerability
In slab version 0.4.10, the get_disjoint_mut method validated indices against the slab’s capacity rather than its current length. This mistake allowed callers to obtain mutable references to uninitialized slots beyond the initialized portion of the slab, risking undefined behavior or crashes if those slots were accessed. The fix in version 0.4.11 corrects the boundary check to use the slab’s length. As a temporary workaround, users should avoid passing indices that could exceed the slab’s live length.
Conclusion
CVE-2025-55159 highlights the importance of rigorous boundary checks in systems programming. Developers and operators should update to slab 0.4.11 immediately and rebuild any affected applications or libraries. Staying current with security advisories from your distribution and crate maintainers will help you mitigate similar risks in the future.
Watch the full video on YouTube: CVE-2025-55159
Remediation and exploitation details
This chain involves the following actors
- Attacker: malicious actor exploiting uninitialized memory access
- Developer: maintains application using tokio-rs slab
This following systems are involved
- tokio-rs slab crate 0.4.10 (pre-allocated storage for uniform data): vulnerable library
- Application (uses slab for data storage): dependent software
Attack entry point
- get_disjoint_mut method: incorrect bounds check allowing out-of-range access to memory
Remediation actions
Exploitation actions
bypass length check by targeting capacity instead of actual length
- let pair = slab.get_disjoint_mut(0, slab.capacity());
ensure capacity-based check passes while length remains smaller
- let _ = slab.insert(42);
read or write uninitialized memory, causing undefined behavior or crash
- process_values(&mut pair.0, &mut pair.1);
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://github.com/tokio-rs/slab/security/advisories/GHSA-qx2v-8332-m4fv
- https://github.com/tokio-rs/slab/pull/152
- https://github.com/tokio-rs/slab/commit/2d65c514bc964b192bab212ddf3c1fcea4ae96b8
- [2025-08-22] Fedora 41 updates rust-slab to version 0.4.11 to fix CVE-2025-55159, but no rebuilds are necessary.
- [2025-08-22] Fedora 42 updates rust-slab to version 0.4.11 to fix CVE-2025-55159, no rebuilds necessary.
- [2025-08-23] SUSE issues a security advisory for a moderate vulnerability in rust-keylime, CVE-2025-55159.