CVE-2019-15554

The vulnerability resides in the SmallVec::grow() method of the Rust smallvec crate. When a SmallVec has spilled its contents to the heap and grow() is subsequently called with a new capacity that is less than the current capacity but still larger than the inline size, the method incorrectly handles the transition back to inline storage. Specifically, it fails to update the internal capacity field, leaving the vector in an inconsistent state that can lead to memory corruption [1][2][3].

Exploitation requires an attacker to control the argument passed to grow() after the vector has spilled. The RustSec advisory notes that this can result in memory corruption and potentially arbitrary code execution [2]. A minimal proof-of-concept demonstrates that after calling grow() with a smaller size, subsequent operations on the vector exhibit undefined behavior, such as reading uninitialized memory [3].

The impact is severe: the vulnerability carries a CVSS score of 9.8 (Critical) with a network attack vector, low attack complexity, no privileges required, and no user interaction. Successful exploitation could lead to complete compromise of confidentiality, integrity, and availability [2]. The issue affects smallvec versions 0.6.3 through 0.6.9; earlier versions are unaffected because they lack the grow method [2].

The fix was released in version 0.6.10, which properly updates the capacity when transitioning back to inline storage [3]. Users are advised to update to 0.6.10 or later. The RustSec advisory lists the patched version as >=0.6.10 [2].