CVE-2018-20991

Vulnerability

Description

The smallvec crate for Rust provides a "small vector" optimization that stores a small number of items on the stack before spilling to the heap. In versions before 0.6.3, the SmallVec::insert_many method contains a flaw in its Iterator implementation that mishandles destructors, leading to a double free [1][2]. The root cause is that the method does not properly update the vector length before iterating over the inserted elements, so if a panic occurs during iteration, the drop implementation may run on already-freed memory [2][4].

Exploitation

Prerequisites

An attacker can exploit this vulnerability without authentication or user interaction, as the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates network-based exploitation with low complexity [2]. The bug is triggered when insert_many is called with an iterator that panics during insertion, causing Rust's unwinding mechanism to invoke destructors on invalid state. This requires a crafted input that causes the panic, but no special privileges are needed.

Impact

Successful exploitation results in a double free, leading to memory corruption. The CVSS score of 9.8 (Critical) reflects high impacts on confidentiality, integrity, and availability [2]. An attacker could potentially corrupt heap or stack data, leading to arbitrary code execution or denial of service.

Mitigation

Status

The vulnerability is fixed in smallvec versions 0.6.3, 0.3.4, 0.4.5, and 0.5.1 [2]. Users should update to these patched versions immediately. The advisory notes that versions prior to 0.3.2 are unaffected because they do not include the vulnerable insert_many method [2].