CVE-2018-20995

Root

Cause

The slice-deque crate for Rust provides a double-ended queue (ring buffer) that dereferences into a slice. In versions prior to 0.1.16, the move_head_unchecked function did not correctly update the deque's internal head pointer when elements were removed from the front. This mishandling leads to memory corruption because subsequent operations can read from or write to memory regions that have already been logically dequeued [1][2].

Exploitation

An attacker can trigger this vulnerability by causing a series of pop_front() operations on a SliceDeque in an application that uses the vulnerable crate. No special privileges or user interaction are required, as the bug manifests during normal deque operations [2][3]. The corruption occurs when the head is moved without properly bounding the internal state, leading to out-of-bounds access on subsequent reads or writes. The issue was originally reported in a scenario involving repeated pushes and pops [4].

Impact

Successful exploitation can result in reading corrupted memory, leading to information disclosure, or writing to arbitrary memory locations, which may allow remote code execution (RCE). The CVSSv3 score of 9.8 (Critical) reflects the low attack complexity, no required privileges, and high impact on confidentiality, integrity, and availability [2][3].

Mitigation

The vulnerability is patched in slice-deque version 0.1.16. Users should update the crate to this or a later release. No workarounds are available for the unsound move_head_unchecked function [2].