Skip to content

Double free in smallvec

Critical severity GitHub Reviewed Published Aug 25, 2021 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo smallvec (Rust)

Affected versions

>= 0.3.2, < 0.6.3

Patched versions

0.6.3

Description

If an iterator passed to SmallVec::insert_many panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free (a destructor running on two copies of the same value).

This is fixed in smallvec 0.6.3 by ensuring that the vector's length is not updated to include moved items until they have been removed from their original positions. Items may now be leaked if Iterator::next panics, but they will not be dropped more than once.

References

Reviewed Aug 19, 2021
Published to the GitHub Advisory Database Aug 25, 2021
Last updated Jun 13, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2018-20991

GHSA ID

GHSA-rxr4-x558-x7hw

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.