VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 9, 2019· Updated Aug 5, 2024

CVE-2019-16140

CVE-2019-16140

Description

An issue was discovered in the chttp crate before 0.1.3 for Rust. There is a use-after-free during buffer conversion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in the chttp crate (before 0.1.3) for Rust allows memory corruption during buffer conversion.

Vulnerability

Overview

CVE-2019-16140 is a use-after-free vulnerability discovered in the chttp crate for Rust, a component that later evolved into the Isahc HTTP client library. The issue occurs during buffer conversion operations, where freed memory can be accessed, leading to undefined behavior [1][2]. The flaw affects versions of the chttp crate prior to 0.1.3 [4].

Attack

Vector and Prerequisites

The vulnerability is triggered when a Buffer is converted into a Vec. The conversion implementation was found to be unsound because it could allow accessing memory after it has been freed. An attacker can potentially exploit this remotely by crafting a request or response that triggers the conversion while the underlying buffer is no longer valid. The attack requires no authentication or special privileges, and no user interaction [4].

Impact

Successful exploitation could lead to memory corruption, which may allow an attacker to read sensitive data from memory, cause a denial of service, or potentially execute arbitrary code. The CVSS v3.1 score is 9.8 (Critical), indicating a high impact on confidentiality, integrity, and availability [4].

Mitigation

The vulnerability is patched in version 0.1.3 of the chttp crate. Users should upgrade to at least this version to remediate the issue. Versions below 0.1.1 are not affected [4]. No known workarounds are available; updating is recommended.

References
  1. GitHub - sagebind/isahc: The practical HTTP client that is fun to use.
  2. impl From<Buffer> for Vec<u8> is unsound
  3. Use-after-free in buffer conversion implementation › RustSec Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
chttpcrates.io
>= 0.1.1, < 0.1.30.1.3

Affected products

3

Patches

1
9e9f1fb44114

fix #2

https://github.com/sagebind/isahcStephen M. CoakleyFeb 2, 2018via ghsa
commit
1 file changed · +16 1
  • src/buffer.rs+16 1 modified
    @@ -192,7 +192,9 @@ impl From<Buffer> for Vec<u8> {
         let len = buffer.copy_to(&mut slice);
 
         unsafe {
-            Vec::from_raw_parts(slice.as_mut_ptr(), len, slice.len())
+            let vec = Vec::from_raw_parts(slice.as_mut_ptr(), len, slice.len());
+            mem::forget(slice);
+            vec
         }
     }
 }
@@ -291,4 +293,17 @@ mod tests {
         buffer.copy_to(&mut out);
         assert!(&out == b"hello world");
     }
+
+    #[test]
+    fn vec_from_buffer() {
+        let mut buffer = Buffer::new();
+        let bytes = b"hello world";
+        buffer.push(bytes);
+
+        assert!(buffer.len() == bytes.len());
+
+        let vec = Vec::from(buffer);
+
+        assert!(&vec == bytes);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.