CVE-2019-16139

Vulnerability

The compact_arena crate (versions prior to 0.4.0) provides memory-efficient indexed arenas for Rust. A flaw in its generativity mechanism allows indices created in one arena to be used to access elements of another arena, bypassing type-level safety intended to prevent such cross-arena operations [2]. This unsoundness leads to out-of-bounds reads or writes when user code mistakenly or intentionally indexes into a different arena.

Exploitation

An attacker (or unsuspecting code) can exploit this by creating two distinct arena instances and using an index obtained from the first to index into the second, as demonstrated in a proof-of-concept [3]. No authentication or special network position is required—any code that uses the vulnerable crate is exposed. The bug is triggered purely through local program logic, but because Rust code often processes untrusted data, the risk is real.

Impact

Successful exploitation results in memory corruption: an out-of-bounds read or write [1]. This can lead to information disclosure, data tampering, or denial of service depending on what memory is accessed. The RustSec advisory assigns a CVSS 9.8 (critical) due to network attack vector, low complexity, and high impact on confidentiality, integrity, and availability [2].

Mitigation

The issue is fixed in compact_arena version 0.4.0 and later [2]. Users should update immediately. No workarounds are known; the only safe option is to upgrade.