CVE-2020-35864

Vulnerability

CVE-2020-35864 is a soundness issue in the flatbuffers Rust crate (crates.io) that affected versions 0.4.0 through 1.2.0. The functions read_scalar and read_scalar_at permitted reinterpreting arbitrary byte slices as any type that implements the EndianScalar trait, without requiring the caller to use an unsafe block. This effectively provided a safe Rust function that performs a transmute-like operation, which is a violation of Rust's safety guarantees because it can create invalid bit patterns for types that have validity invariants [1][4].

Exploitation

No special privileges or user interaction are required; the attack vector is network-based with low complexity (CVSS 7.5). An attacker who can control the byte content fed to read_scalar or read_scalar_at can cause undefined behavior. For example, passing an invalid byte pattern to produce a bool value of 3, constructing a NonZeroI32 from all-zero bytes (breaking the non-zero invariant), or even creating a dangling &'static str pointer that leads to a segmentation fault [4]. The vulnerability is present in any code that uses these functions on untrusted data.

Impact

Exploitation can result in memory corruption, application crashes, or other undefined behavior. While the official CVSS vector indicates no direct confidentiality or integrity impact, the availability impact is high due to the potential for denial-of-service conditions. In more complex scenarios, this soundness hole could be leveraged for further exploitation, depending on how the flawed code is integrated into an application.

Mitigation

The RustSec advisory (RUSTSEC-2020-0009) records that the issue was patched in version 2.0.0 of the flatbuffers crate [1]. Users should update to >= 2.0.0. Versions prior to 0.4.0 are unaffected because the vulnerable functions did not exist. No workaround is available for affected versions other than upgrading or avoiding the use of these functions with untrusted data.