Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency.

Rust

When a canister method is called via `ic_cdk::call*`, a new Future `CallFuture` is created  and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called `CallFutureState`.  A bug in the polling implementation of the `CallFuture` allows multiple references to be held for this internal state and not all references were dropped before the `Future` is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. 
### Impact
Canisters built in Rust with `ic_cdk` and `ic_cdk_timers` are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. **In the worst case, this could lead to heap memory exhaustion triggered by an attacker.**
Motoko based canisters are not affected by the bug.
### Patches
The patch has been backported to all minor versions between `>= 0.8.0, <= 0.15.0`. The patched versions available are `0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1` and their previous versions have been yanked. 
### Workarounds
There are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of `ic_cdk` to avoid running out of Wasm heap memory. 
> Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution.
### Referencesas
- [dfinity/cdk-rs/pull/509](https://github.com/dfinity/cdk-rs/pull/509)
- [ic_cdk docs](https://docs.rs/ic-cdk/latest/ic_cdk/)
- [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-2fjw-whxm-9v4q	CRITICAL	9.3	Rust	nftnl	No	Yes	Nov 25, 2025
CVE-2025-66017	HIGH	8.2	Rust	cggmp21	No	Yes	Nov 25, 2025
GHSA-mj73-j457-8x9q	LOW	2.7	Rust	maxminddb	No	Yes	Dec 02, 2025
GHSA-pq5v-rwp8-p7gm	LOW	2.7	Rust	rtvm-interpreter	No	No	Dec 02, 2025
RUSTSEC-2025-0132	N/A	N/A	Rust	maxminddb	No	Yes	Nov 28, 2025

RUSTSEC-2024-0372:
Rust vulnerability analysis and mitigation

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

7.5

Related Rust vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

RUSTSEC-2024-0372: Rust vulnerability analysis and mitigation