CVE-2021-25900
CRITICAL9.8EPSS 0.53%Buffer overflow in SmallVec::insert_many
Description
A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method. The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness. Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.
Affected packages (3)
- crates.io/smallvec>= 0.6.3, < 0.6.14
- crates.io/smallvec>= 0.6.3, < 0.6.14, >= 1.0.0, < 1.6.1
- Debian/rust-smallvecfrom 0, < 1.4.2-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25900
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-25900
- PATCHhttps://crates.io/crates/smallvec
- PATCHhttps://github.com/servo/rust-smallvec
- WEBhttps://github.com/servo/rust-smallvec/commit/5757ac500d4e544485d796b542e4e589749c291b
- WEBhttps://github.com/servo/rust-smallvec/commit/9998ba0694a6b51aa6604748b00b6a98f0a0039e
- WEBhttps://github.com/servo/rust-smallvec/issues/252
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0003.html