Reported

January 6, 2021

Issued

January 30, 2021 (last modified: June 13, 2023)

Package

calamine (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• memory-exposure

Aliases

• CVE-2021-26951
• GHSA-ppqp-78xx-3r38

References

• https://github.com/tafia/calamine/issues/199

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.17.0

Description

Affected versions of this crate arbitrarily calls Vec::set_len to increase length of a vector without claiming more memory for the vector. Affected versions of this crate also calls user-provided Read on the uninitialized memory of the vector that was extended with Vec::set_len.

This can overwrite active entities in adjacent heap memory and seems to be a major security issue. Also, calling user-provided Read on uninitialized memory is defined as UB in Rust.

Advisory available under CC0-1.0 license.