Add advisory for inplace-vec-builder: InPlaceVecBuilder can corrupt the backing Vec

[DiuDiu777]

Affected crate(s)

• inplace-vec-builder (1,222,237 recent downloads per crates.io; 5,820,504 total downloads)

Links to upstream issue(s) or PR(s)

• Double Free and UB via std::mem::forget on InPlaceVecBuilder rklaehn/inplace-vec-builder#1

The issue was publicly reported upstream on 2026-03-09 and remains open with no maintainer response as of 2026-05-27.

Severity

Informational soundness issue. Safe Rust code can leak InPlaceVecBuilder with std::mem::forget after it has entered an intermediate state, bypassing the Drop cleanup that restores the backing Vec.

This can expose the Vec with an invalid length and duplicated or otherwise invalid elements. Subsequent safe use or drop of the Vec can trigger undefined behavior, including double free and use-after-free. Miri reports a dangling pointer dereference during drop. No unsafe code is required from the caller.

Checklist

• Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
• date field is set to the public disclosure date
• Contains a concise and descriptive title after advisory metadata
• Asked maintainer(s) if publishing an advisory is appropriate

The issue has been public for more than two months without upstream response. I am filing this advisory under RustSec's documented allowance for advisories after public disclosure with no upstream response.

[djc]

I made an attempt to reach out to the maintainer.

[DiuDiu777]

Thank you for reaching out; I’ll wait for any feedback and adjust the advisory if needed.