rustsec-2025-0053
Vulnerability from osv_rustsec
Published
2025-08-14 12:00
Modified
2025-10-28 06:02
Summary
Multiple memory corruption vulnerabilities in safe APIs
Details

The crate has the following vulnerabilities:

  • The public trait arenavec::common::AllocHandle allows the return of raw pointers through its methods allocate and allocate_or_extend. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as arenavec::common::SliceVec::push-potentially leading to arbitrary memory access.

  • The safe API arenavec::common::SliceVec::reserve can reach the private function arenavec::common::allocate_inner. Incorrect behavior in allocate_inner may result in a SliceVec with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between SliceVec.capacity and the actual reserved memory can lead to a heap buffer overflow.

  • The safe API arenavec::common::SliceVec::split_off can duplicate the ownership of the elements in self (of type SliceVec) if they implement the Drop trait. Specifically, when at == 0, the method returns a new SliceVec with the same length as self. Since both self and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "arenavec::common::AllocHandle::allocate",
            "arenavec::common::AllocHandle::allocate_or_extend",
            "arenavec::common::SliceVec::split_off",
            "arenavec::common::allocate_inner"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "arenavec",
        "purl": "pkg:cargo/arenavec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-3632-54q8-m96x"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The crate has the following vulnerabilities:\n\n- The public trait `arenavec::common::AllocHandle` allows the return of raw pointers through its methods `allocate` and `allocate_or_extend`. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as `arenavec::common::SliceVec::push`-potentially leading to arbitrary memory access.\n\n- The safe API `arenavec::common::SliceVec::reserve` can reach the private function `arenavec::common::allocate_inner`. Incorrect behavior in `allocate_inner` may result in a `SliceVec` with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between `SliceVec.capacity` and the actual reserved memory can lead to a heap buffer overflow.\n\n- The safe API `arenavec::common::SliceVec::split_off` can duplicate the ownership of the elements in `self` (of type `SliceVec`) if they implement the `Drop` trait. Specifically, when `at == 0`, the method returns a new `SliceVec` with the same length as `self`. Since both `self` and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.",
  "id": "RUSTSEC-2025-0053",
  "modified": "2025-10-28T06:02:18Z",
  "published": "2025-08-14T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/arenavec"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0053.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/ibabushkin/arenavec/issues/4"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/ibabushkin/arenavec/issues/5"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/ibabushkin/arenavec/issues/6"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Multiple memory corruption vulnerabilities in safe APIs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.