GHSA-2pgj-5cv2-6xxw: 
Rust vulnerability analysis and mitigation

A high-severity memory safety vulnerability (GHSA-2pgj-5cv2-6xxw) was discovered in the Fuel Virtual Machine (FuelVM) affecting versions < 0.60.1 and < 0.59.3. The vulnerability was disclosed on October 7, 2025, and allowed memory reads to bypass expected access controls when performing memory operations on deallocated memory regions (GitHub Advisory).

The vulnerability occurs when a smart contract performs memory operations (like mload) on memory that had been deallocated using ret instruction. Due to improper memory management, the contract could still access old memory contents because the memory region was not zeroed out or marked as invalid after deallocation. This represents a Use-After-Free (CWE-416) vulnerability with a CVSS v4 base score of 8.7 (High) (GitHub Advisory).

The vulnerability enables smart contracts to potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage. All users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted (GitHub Advisory).

The vulnerability was patched in FuelVM versions 0.60.1 and 0.59.3, released on April 18th, 2025. The fix ensures that memory deallocated with ret is properly zeroed out or made inaccessible. No reliable workarounds existed prior to the patch, as manual zeroing of sensitive memory regions was error-prone and could not be enforced at the VM level. Users are strongly recommended to upgrade to the patched versions (GitHub Advisory, FuelVM PR).