Add security warning to ArrayPool.Return documentation (#12062)

Copilot · web-flow · commit 21b65b6f8642 · 2025-11-20T14:36:47.000-08:00
diff --git a/xml/System.Buffers/ArrayPool`1.xml b/xml/System.Buffers/ArrayPool`1.xml
@@ -309,6 +309,9 @@ The array returned by this method may not be zero-initialized.
 ## Remarks  
 
 Once a buffer has been returned to the pool, the caller gives up all ownership of the buffer and must not use it. The reference returned from a given call to the <xref:System.Buffers.ArrayPool%601.Rent%2A> method must only be returned using the <xref:System.Buffers.ArrayPool%601.Return%2A> method once. The default <xref:System.Buffers.ArrayPool%601> may hold onto the returned buffer in order to rent it again, or it may release the returned buffer if it's determined that the pool already has enough buffers stored.
+
+> [!IMPORTANT]
+> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in data corruption, data leaks, and denial of service.
  ]]></format>
         </remarks>
       </Docs>
