Reported

July 16, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

memoffset (crates.io)

Type

INFO Unsound

Aliases

• CVE-2019-15553
• GHSA-rh89-x75f-rh3c

References

• https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

• >=0.5.0

Description

Affected versions of this crate caused traps and/or memory unsafety by zero-initializing references. They also could lead to uninitialized memory being dropped if the field for which the offset is requested was behind a deref coercion, and that deref coercion caused a panic.

The flaw was corrected by using MaybeUninit.

Advisory available under CC0-1.0 license.