Add advisories for metacall

[thanasistrisp]

Affected crate

• metacall (2,066 recent downloads)

Links to upstream issue

metacall/core#809

Severity

I am reporting two different categories of memory vulnerabilities.
The first is more critical since every time the MetaCallException is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API MetaCallException::new(), with no unsafe required from the caller.
The second one refers to many unsoundness issues found in Clone and new_raw methods of multiple traits.

Checklist

• Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
• date field is set to the public disclosure date
• Contains a concise and descriptive title after advisory metadata
• Asked maintainer(s) if publishing an advisory is appropriate

[djc]

LGTM, but I'd like to include patched versions if they're coming soon.

[djc]

Actually, are these issues independent from the existing issues reported in

https://rustsec.org/advisories/RUSTSEC-2026-0139.html

?

[thanasistrisp]

Actually, are these issues independent from the existing issues reported in

https://rustsec.org/advisories/RUSTSEC-2026-0139.html

?

MetaCallException::new(...) is a completely different case and much more severe, since it is not about unsoundness at all. (RUSTSEC-0000-0000.1.md)
The other ones (which includes more cases) are also in the same previously reported items, but the underlying bug is different; I explain more inside the RUSTSEC-0000-0000.2.md‎.

Feel free to correct me.