Reported

September 25, 2018

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

smallvec (crates.io)

Type

INFO Unsound

Aliases

• CVE-2018-25023
• GHSA-55m5-whcv-c49c
• GHSA-66p5-j55p-32r9

References

• https://github.com/servo/rust-smallvec/issues/126

Patched

• >=0.6.13

Description

Affected versions of this crate called mem::uninitialized() to create values of a user-supplied type T. This is unsound e.g. if T is a reference type (which must be non-null and thus may not remain uninitialized).

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

Advisory available under CC0-1.0 license.