Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions crates/solana_rbpf/RUSTSEC-0000-0000.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "solana_rbpf"
date = "2026-05-28"
url = "https://github.com/solana-labs/rbpf"
references = [
"https://github.com/anza-xyz/sbpf/pull/151",
"https://crates.io/crates/solana-sbpf",
]
informational = "unsound"
categories = ["memory-corruption"]
keywords = ["soundness", "pointer-arithmetic", "out-of-bounds"]

[affected.functions]
"solana_rbpf::vm::EbpfVm::invoke_function" = [">= 0.8.0, <= 0.8.5"]

[versions]
patched = []
unaffected = ["< 0.8.0"]
```

# `EbpfVm::invoke_function` performs out-of-bounds pointer arithmetic

Affected versions of `solana_rbpf` expose the safe method
`EbpfVm::invoke_function`. This method computes an obfuscated VM pointer by
casting `self` to `*mut u64` and applying a randomized offset derived from
`get_runtime_environment_key()`.

The resulting pointer arithmetic is performed with `ptr::offset`, which
requires the computed pointer to remain within the same allocation. In practice,
the randomized offset can move the pointer far outside the allocation
containing the `EbpfVm`, causing undefined behavior before the supplied builtin
function is invoked.

## Unmaintained

The upstream `solana_rbpf` repository is archived, and no patched version of
this crate is currently available.

Users should migrate to the maintained [`solana-sbpf`](https://crates.io/crates/solana-sbpf)
crate. The issue has been fixed there in
[`anza-xyz/sbpf#151`](https://github.com/anza-xyz/sbpf/pull/151).