Add security note to ArrayPool.Return documentation

Copilot · jkotas · Copilot · commit 7d5fa4d3010c · 2025-11-20T17:27:27.000Z
Co-authored-by: jkotas &lt;6668460+jkotas@users.noreply.github.com&gt;
diff --git a/xml/System.Buffers/ArrayPool`1.xml b/xml/System.Buffers/ArrayPool`1.xml
@@ -309,6 +309,9 @@ The array returned by this method may not be zero-initialized.
 ## Remarks  
 
 Once a buffer has been returned to the pool, the caller gives up all ownership of the buffer and must not use it. The reference returned from a given call to the <xref:System.Buffers.ArrayPool%601.Rent%2A> method must only be returned using the <xref:System.Buffers.ArrayPool%601.Return%2A> method once. The default <xref:System.Buffers.ArrayPool%601> may hold onto the returned buffer in order to rent it again, or it may release the returned buffer if it's determined that the pool already has enough buffers stored.
+
+> [!IMPORTANT]
+> Returning the same array reference twice or continuing to use the array reference after it has been returned is a high-severity security issue. These actions can lead to [double-free](https://cwe.mitre.org/data/definitions/415.html) and [use-after-free](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities, which might result in memory corruption, data leaks, or arbitrary code execution.
  ]]></format>
         </remarks>
       </Docs>
