CVE-2019-16144

Description

The generator crate for Rust (version before 0.6.18) suffers from unsound APIs that use uninitialized memory in the Scope, done, and yield_ functions [1][3]. This leads to undefined behavior (UB) and potential memory corruption, as reported in GitHub issue #9 and #14 [2].

Exploitation

An attacker can trigger the vulnerability by calling the affected APIs in any application that uses the generator crate. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network attack vector with low complexity and no required privileges or user interaction [3]. This makes it exploitable remotely without authentication.

Impact

Successful exploitation can cause a denial of service (availability impact) due to memory corruption. There is no direct impact on confidentiality or integrity, but UB can lead to unpredictable behavior [3].

Mitigation

The issue is fixed in generator crate version 0.6.18 and later [3]. Users should update to the latest patched version.