RUSTSEC-2021-0054

Archives may contain uninitialized memory

Reported

April 28, 2021

Issued

April 29, 2021 (last modified: June 13, 2023)

Package

rkyv (crates.io)

Type

Vulnerability

Categories

memory-exposure

Keywords

#uninitialized #memory #information #leak

Aliases

References

https://github.com/djkoloski/rkyv/issues/113

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

>=0.6.0

Affected Functions

Version

rkyv::Archive::resolve

<0.6.0

Description

rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels.

Advisory available under CC0-1.0 license.