RustSec flags soundness bug in anyhow's Error::downcast_mut
anyhow’s context-preserving error path can hit undefined behavior if Error::downcast_mut follows Error::context, and the fix landed in 1.0.103.
RustSec has flagged a soundness bug in anyhow’s Error::downcast_mut, a path that can turn ordinary-looking error wrapping into undefined behavior when context is added first and a mutable downcast comes later. The advisory, RUSTSEC-2026-0190, covers anyhow versions before 1.0.103 and lands in the middle of a crate that sits in the error path of a huge amount of Rust application code.
The trigger is specific. A caller adds context with Error::context, then later calls Error::downcast_mut on the resulting Error. In that pattern, anyhow could build a mutable reference that included a shared reference in the borrow chain, which violates Rust’s aliasing rules and crosses into undefined behavior. RustSec says the flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed so the shared reference is no longer part of the resulting borrow chain.
The practical reach is wider than the advisory title suggests. Any project that uses anyhow directly or pulls it in transitively should check whether it depends on a version before 1.0.103, especially code that wraps lower-level errors, preserves context, and later tries to recover typed error information. anyhow’s own documentation says downcasts that worked before adding context should continue to work after adding context, which is exactly why this bug matters to maintainers who treat the crate as a thin convenience layer rather than as part of program correctness.
The upstream fix shipped in anyhow 1.0.103, whose release notes describe the patch as a “Stacked Borrows violation (UB) in Error::downcast_mut.” The RustSec advisory database, maintained by the Rust Secure Code Working Group for crates on crates.io, listed the issue as INFO on June 29, 2026. The advisory timeline shows the issue first reaching miette on May 31, then being reported to anyhow on June 25, the same day David Tolnay, @dtolnay, released the fix and RustSec approved the advisory.
The audit path is straightforward. Check dependency trees for any anyhow version below 1.0.103, then look for code that chains Error::context and Error::downcast_mut on the same error flow. Libraries that preserve context and applications that do custom error wrapping need to move first, because this is not a crash-only bug but a soundness issue in safe-looking API usage. In Rust, that is the kind of breakage that deserves a quick inventory and an immediate upgrade.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


