FIND-20260404-027 · 2026-04-04 · Innovation Veille
RUSTSEC-2026-0007: bytes Crate Integer Overflow in BytesMut::reserve — Memory Corruption in Release Builds
cve
HIGH
The bytes crate (versions 1.2.1 through 1.10.0) has an integer overflow in BytesMut::reserve that can corrupt internal capacity tracking and allow out-of-bounds slice access, leading to undefined behavior (memory corruption) in release builds. Fixed in bytes >= 1.10.1 (note: corrected from 1.11.1 per advisory page). Bytes is a foundational crate used by Actix-web, Tokio, Hyper, and virtually all async Rust HTTP stacks. Critically: this only affects release builds (overflow wraps) not debug builds (panics). ODS production services compile with --release.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0007.html
ODS Impact
All ODS Rust services using actix-web or tokio are likely depending on bytes transitively. Services: billing-engine, oid, pdf-engine, docstore, workflow-engine, notification-hub (Rust parts), etc. Action: run `cargo tree -d` in each service to find the bytes version in use. If < 1.10.1, update Cargo.toml. This is a HIGH severity memory safety issue in production builds.
Security Review
License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION
Tags
rust
rustsec
bytes
actix-web
tokio
memory-safety
integer-overflow
release-build