Fluid Attacks Database

Description

smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller. This vulnerability is fixed in 2.6.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	smallbitvec	>=1.0.1 <=2.6.0	2.6.1
debian 12	rust-smallbitvec	=2.5.1-1 \|\| =2.6.0-1 \|\| =2.6.1-1	-
debian 13	rust-smallbitvec	=2.5.1-1 \|\| =2.6.0-1 \|\| =2.6.1-1	-
debian 14	rust-smallbitvec	=2.5.1-1 \|\| =2.6.0-1 \|\| >=0 <2.6.1-1	2.6.1-1

Aliases

1. CVE-2026-449832. NVD-2026-449833. OSV-2026-449834. OSV-DEBIAN-2026-449835. GHSA-97wc-2hqc-cjgr6. GCVE-2026-449837. SECURITY-TRACKER-CVE-2026-44983

References

1. https://github.com/servo/smallbitvec/security/advisories/GHSA-97wc-2hqc-cjgr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.