rustsec-2025-0050
Vulnerability from osv_rustsec
Due to a flaw in the constructor id_map::IdMap::from_iter, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of IdMap. Specifically, the field ids is initialized based on the capacity of the vector values, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.
In such cases, when the resulting IdMap is dropped, its destructor incorrectly assumes that values contains ids.len() == values.capacity() initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.
The bug was fixed in commit fab6922, and all unsafe code was removed from the crate.
Note that the maintainer recommends using the following alternatives: - slab - slotmap
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"id_map::IdMap::from_iter"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "id-map",
"purl": "pkg:cargo/id-map"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.6"
},
{
"fixed": "0.2.2"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-qq4c-hm99-979m"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of `IdMap`. Specifically, the field `ids` is initialized based on the capacity of the vector `values`, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.\n\nIn such cases, when the resulting `IdMap` is dropped, its destructor incorrectly assumes that `values` contains `ids.len() == values.capacity()` initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.\n\nThe bug was fixed in commit `fab6922`, and all unsafe code was removed from the crate.\n\nNote that the maintainer recommends using the following alternatives:\n- [slab](https://crates.io/crates/slab)\n- [slotmap](https://crates.io/crates/slotmap)",
"id": "RUSTSEC-2025-0050",
"modified": "2025-10-28T06:02:18Z",
"published": "2025-08-14T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/id-map"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0050.html"
},
{
"type": "REPORT",
"url": "https://github.com/andrewhickman/id-map/issues/4"
}
],
"related": [],
"severity": [],
"summary": "IdMap::from_iter may lead to uninitialized memory being freed on drop"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.