Reported

January 4, 2021

Issued

March 7, 2021 (last modified: June 13, 2023)

Package

endian_trait (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2021-29929
• GHSA-vpw8-43wm-rxw5

References

• https://gitlab.com/myrrlyn/endian_trait/-/issues/1

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

no patched versions

Description

Affected versions of the crate does not guard against panic from user-provided impl of Endian trait, which is a safe trait that users can implement. If a user-provided implementation of the Endian trait panics, double-drop is triggered due to the duplicated ownership of T created by ptr::read().

Double-drop (or double free) can cause memory corruption in the heap.

Advisory available under CC0-1.0 license.