Main Vulnerability Database Vulnerabilities #VU26468

#VU26468 Use-after-free in Rust Programming Language and bitvec

Published: March 31, 2020

Vulnerability identifier: #VU26468

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Rust Programming Language
bitvec

Software vendor:
Rust Team
Alexander Payne

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when conversion of BitVec to BitBox does not account for allocation movement. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://rustsec.org/advisories/RUSTSEC-2020-0007.html
https://github.com/myrrlyn/bitvec/issues/55