rustsec · dfoxfranke · Jun 26, 2026
diff --git a/crates/anyhow/RUSTSEC-0000-0000.md b/crates/anyhow/RUSTSEC-0000-0000.md
@@ -0,0 +1,70 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "anyhow"
+date = "2026-06-25"
+url = "https://github.com/dtolnay/anyhow/issues/451"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "downcast_mut"]
+
+[affected.functions]
+"anyhow::Error::downcast_mut" = ["< 1.0.103"]
+
+[versions]
+patched = [">= 1.0.103"]
+```
+
+# Unsoundness in `Error::downcast_mut()`
+
+Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via `Error::context` and then later calls `Error::downcast_mut` on the returned `Error`.
+
+The flaw was corrected in commit `6e8c000` by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.
+
+## Example
+
+```rust
+use anyhow::Error;
+use std::fmt;
+
+#[derive(Debug)]
+struct ErrorContext(&'static str);
+
+impl fmt::Display for ErrorContext {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt::Display::fmt(&self.0, f)
+    }
+}
+
+fn main() {
+    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
+    let context: &mut ErrorContext = error.downcast_mut().unwrap();
+    context.0 = "new context";
+    println!("{:?}", error);
+}
+```
+
+## Miri output
+
+```
+error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
+   --> src/ptr.rs:170:18
+    |
+170 |         unsafe { &mut *self.ptr.as_ptr() }
+    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
+    |
+    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
+    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
+help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
+   --> src/ptr.rs:89:18
+    |
+ 89 |             ptr: NonNull::from(ptr),
+    |                  ^^^^^^^^^^^^^^^^^^
+    = note: stack backtrace:
+            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
+                at src/ptr.rs:170:18: 170:41
+            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
+                at src/error.rs:560:18: 560:46
+            2: main
+                at examples/downcast_mut.rs:15:38: 15:58
+```
diff --git a/crates/eyre/RUSTSEC-0000-0000.md b/crates/eyre/RUSTSEC-0000-0000.md
@@ -0,0 +1,69 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "eyre"
+date = "2026-06-26"
+url = "https://github.com/eyre-rs/eyre/issues/285"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "downcast_mut"]
+
+[affected.functions]
+"eyre::Report::downcast_mut" = ["<= 0.6.12"]
+
+[versions]
+patched = []
+# patched = ["> 0.6.12"] # Include if fix lands in 0.6.13
+```
+
+# Unsoundness in `Report::downcast_mut()`
+
+Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to a report via `Report::wrap_err` and then later calls `Report::downcast_mut` on the returned `Report`.
+
+<!-- Include if https://github.com/eyre-rs/eyre/pull/286/commits is merged  -->
+<!-- The flaw was corrected in commit `d480cdd` by revising how the mutable reference is constructed, avoiding inclusion of a shared # reference in the resulting borrow chain. -->
+
+## Example
+
+```rust
+use eyre::Report;
+use std::fmt;
+
+#[derive(Debug)]
+struct ErrorContext(&'static str);
+
+impl fmt::Display for ErrorContext {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt::Display::fmt(&self.0, f)
+    }
+}
+
+fn main() {
+    let mut error = Report::msg("inner error").wrap_err(ErrorContext("old context"));
+    let context: &mut ErrorContext = error.downcast_mut().unwrap();
+    context.0 = "new context";
+    println!("{:?}", error);
+}
+```
+
+## Miri output
+
+```
+error: Undefined Behavior: trying to retag from <1130> for Unique permission at alloc540[0x18], but that tag only grants SharedReadOnly permission for this location
+   --> /home/dfranke/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/non_null.rs:478:18
+    |
+478 |         unsafe { &mut *self.as_ptr() }
+    |                  ^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc540[0x18..0x28]
+    |
+    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
+    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
+help: <1130> was created by a SharedReadOnly retag at offsets [0x18..0x28]
+   --> eyre/src/error.rs:746:19
+    = note: stack backtrace:
+            0: std::ptr::NonNull::<ErrorContext>::as_mut::<'_>
+                at /home/dfranke/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/non_null.rs:478:18: 478:37
+            1: eyre::error::<impl eyre::Report>::downcast_mut::<ErrorContext>
+                at eyre/src/error.rs:447:18: 447:43
+            2: main
+                at eyre/examples/downcast_mut.rs:15:38: 15:58
+```
diff --git a/crates/miette/RUSTSEC-0000-0000.md b/crates/miette/RUSTSEC-0000-0000.md
@@ -0,0 +1,70 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "miette"
+date = "2026-05-31"
+url = "https://github.com/zkat/miette/issues/469"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "downcast_mut"]
+
+[affected.functions]
+"miette::Report::downcast_mut" = ["<= 7.6.0"]
+
+[versions]
+patched = []
+```
+
+# Unsoundness in `Report::downcast_mut()`
+
+Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to a report via `Report::wrap_err` and then later calls `Report::downcast_mut` on the returned `Report`.
+
+No fix is currently available.
+
+## Example
+
+```rust
+use miette::Report;
+use std::fmt;
+
+#[derive(Debug)]
+struct ErrorContext(&'static str);
+
+impl fmt::Display for ErrorContext {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt::Display::fmt(&self.0, f)
+    }
+}
+
+fn main() {
+    let mut error = Report::msg("inner error").wrap_err(ErrorContext("old context"));
+    let context: &mut ErrorContext = error.downcast_mut().unwrap();
+    context.0 = "new context";
+    println!("{:?}", error);
+}
+```
+
+## Miri output
+
+```
+error: Undefined Behavior: trying to retag from <1114> for Unique permission at alloc534[0x18], but that tag only grants SharedReadOnly permission for this location
+   --> src/eyreish/ptr.rs:172:9
+    |
+172 |         &mut *self.ptr.as_ptr()
+    |         ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc534[0x18..0x28]
+    |
+    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
+    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
+help: <1114> was created by a SharedReadOnly retag at offsets [0x18..0x28]
+   --> src/eyreish/ptr.rs:89:18
+    |
+ 89 |             ptr: NonNull::from(ptr),
+    |                  ^^^^^^^^^^^^^^^^^^
+    = note: stack backtrace:
+            0: miette::eyreish::ptr::Mut::<'_, ErrorContext>::deref_mut
+                at src/eyreish/ptr.rs:172:9: 172:32
+            1: miette::eyreish::error::<impl miette::Report>::downcast_mut::<ErrorContext>
+                at src/eyreish/error.rs:390:18: 390:46
+            2: main
+                at examples/downcast_mut.rs:15:38: 15:58
+```