CVE-2020-35862

Vulnerability

Overview

An issue was discovered in the bitvec crate for Rust, affecting versions prior to 0.17.4. The vulnerability resides in the conversion from BitVec to BitBox. During this conversion, the internal memory management can become incorrect, resulting in a use-after-free or double free condition [1][3]. This is a memory safety issue that can lead to undefined behavior.

Exploitation and

Attack Surface

The bug is triggered when shrinking a BitVec into a BitBox. The root cause involves the Drop implementation of BitBox, which incorrectly reconstructs a Vec from a raw pointer and length, leading to a mismatch between the allocated capacity and the actual memory layout [4]. This can cause the deallocation routine to free memory that was not allocated or to access freed memory. The issue can be triggered with user-supplied data, and no special privileges are required; the vulnerability can be exploited remotely if an application processes untrusted input using the affected functionality [2][3].

Impact

Successful exploitation could result in memory corruption, potentially leading to arbitrary code execution, information disclosure, or denial of service. The CVSS score of 9.8 (Critical) reflects the ease of exploitation and the high impact on confidentiality, integrity, and availability [2][3]. An attacker might be able to craft input that causes the vulnerable code path to be executed, thereby gaining control of the program's memory.

Mitigation

The vulnerability is patched in version 0.17.4 and later of the bitvec crate [3]. Users should update to at least this version. Versions prior to 0.11.0 are unaffected [3]. No known workarounds exist other than updating the dependency. The issue is also tracked as RUSTSEC-2020-0007 and GHSA-7cjc-hvxf-gqh7 [3].