Integer Overflow Vulnerability in Utility Library Affects Tokio's Bytes
CVE-2026-25541

5.5MEDIUM

Key Information:

Vendor

Tokio-rs

Status
Bytes
Vendor
CVE Published:
4 February 2026

What is CVE-2026-25541?

The Bytes utility library, utilized for byte manipulation, is susceptible to an integer overflow issue. This vulnerability arises from the BytesMut::reserve function, where an unchecked addition could lead to an incorrect capacity assignment. When the allocated capacity is exceeded during certain operations, such as spare_capacity_mut(), it may result in out-of-bounds memory access, leading to undefined behavior. Although this flaw is easily observable in release builds, debug builds will cause a panic due to overflow checks. A patch was released in version 1.11.1 to address this critical issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

bytes >= 1.2.1, < 1.11.1

References

https://github.com/tokio-rs/bytes/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/tokio-rs/bytes/commit/d0293b0e35838123...
x_refsource_MISC
https://github.com/tokio-rs/bytes/releases/tag/v1.11.1
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.