Reported

September 3, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

simple-slab (crates.io)

Type

Vulnerability

Aliases

• CVE-2020-35892
• CVE-2020-35893
• GHSA-438g-fx34-4h9m
• GHSA-hqc8-j86x-2764

References

• https://github.com/nathansizemore/simple-slab/issues/2

Patched

• >=0.3.3

Description

Slab::index() does not perform the boundary checking, which leads to out-of-bound read access. Slab::remove() copies an element from an invalid address due to off-by-one error, resulting in memory leakage and uninitialized memory drop.

Advisory available under CC0-1.0 license.