rustsec-2025-0054
Vulnerability from osv_rustsec
The safe API array_queue::ArrayQueue::push_front can lead to deallocating uninitialized memory if a panic occurs while invoking the clone method on the passed argument.
Specifically, push_front receives an argument that is intended to be cloned and pushed, whose type implements the Clone trait. Furthermore, the method updates the queue's start index before initializing the slot for the newly pushed element. User-defined implementations of Clone may include a clone method that can panic. If such a panic occurs during initialization, the structure is left with an advanced start index pointing to an uninitialized slot. When ArrayQueue is later dropped, its destructor treats that slot as initialized and attempts to drop it, resulting in an attempt to free uninitialized memory.
The bug was fixed in commit 728fe1b.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"array_queue::ArrayQueue::push_front"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "array-queue",
"purl": "pkg:cargo/array-queue"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.4.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-xqjr-wfx3-gmxv"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "The safe API `array_queue::ArrayQueue::push_front` can lead to deallocating uninitialized memory if a panic occurs while invoking the `clone` method on the passed argument.\n\nSpecifically, `push_front` receives an argument that is intended to be cloned and pushed, whose type implements the `Clone` trait. Furthermore, the method updates the queue\u0027s `start` index before initializing the slot for the newly pushed element. User-defined implementations of `Clone` may include a `clone` method that can panic. If such a panic occurs during initialization, the structure is left with an advanced `start` index pointing to an uninitialized slot. When `ArrayQueue` is later dropped, its destructor treats that slot as initialized and attempts to drop it, resulting in an attempt to free uninitialized memory.\n\nThe bug was fixed in commit `728fe1b`.",
"id": "RUSTSEC-2025-0054",
"modified": "2025-10-28T06:02:18Z",
"published": "2025-08-14T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/array-queue"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0054.html"
},
{
"type": "REPORT",
"url": "https://github.com/raviqqe/array-queue/issues/3"
}
],
"related": [],
"severity": [],
"summary": "ArrayQueue::push_front is not panic-safe"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.