CVE-2020-35866
Description
An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via VTab / VTabCursor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety violation in rusqlite before 0.23.0 due to unsound VTab/VTabCursor traits.
Root
Cause
The vulnerability in the rusqlite crate prior to version 0.23.0 arises from the VTab and VTabCursor traits not being marked as unsafe. This allowed any safe Rust code to implement these traits without guaranteeing the required memory safety invariants. Specifically, the first field of a VTab struct must be rusqlite::sqlite3_vtab and the struct must be #[repr(C)]. Without the unsafe trait boundary, a safe implementation could violate these layout requirements, leading to undefined behavior [1][4].
Exploitation
An attacker could craft a valid Rust crate that implements the VTab or VTabCursor traits with an incorrect struct layout or missing safety properties. Since the traits are safe to implement, no unsafe blocks are needed, making it easy for a developer to inadvertently introduce memory safety issues. The exploit does not require authentication or network access; it can be triggered solely by using the vulnerable crate and executing the virtual table operations [2][3].
Impact
Successful exploitation can result in memory corruption, arbitrary code execution, or other forms of undefined behavior. Given that rusqlite is a widely-used SQLite binding, any application using a vulnerable version could be compromised if it processes untrusted virtual table implementations [1][2].
Mitigation
The issue was fixed in rusqlite version 0.23.0 by making both VTab and VTabCursor traits unsafe, forcing implementors to acknowledge the safety requirements [4]. Users should update to version 0.23.0 or later. This CVE is one of several related memory safety issues in rusqlite (see RUSTSEC-2020-0014) [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rusqlitecrates.io | < 0.23.0 | 0.23.0 |
Affected products
2- Rust/rusqlitedescription
Patches
254043c803c83Prep release 0.23.0
1 file changed · +1 −1
Cargo.toml+1 −1 modified@@ -1,6 +1,6 @@ [package] name = "rusqlite" -version = "0.22.0" +version = "0.23.0" authors = ["The rusqlite developers"] edition = "2018" description = "Ergonomic wrapper for SQLite"
c9ef5bd63cadMake VTab / VTabCursor `unsafe trait` as implmenting them on the wrong type is unsound
4 files changed · +13 −9
src/vtab/array.rs+2 −2 modified@@ -71,7 +71,7 @@ struct ArrayTab { base: ffi::sqlite3_vtab, } -impl VTab for ArrayTab { +unsafe impl VTab for ArrayTab { type Aux = (); type Cursor = ArrayTabCursor; @@ -149,7 +149,7 @@ impl ArrayTabCursor { } } } -impl VTabCursor for ArrayTabCursor { +unsafe impl VTabCursor for ArrayTabCursor { fn filter(&mut self, idx_num: c_int, _idx_str: Option<&str>, args: &Values<'_>) -> Result<()> { if idx_num > 0 { self.ptr = args.get_array(0)?;
src/vtab/csvtab.rs+2 −2 modified@@ -95,7 +95,7 @@ impl CSVTab { } } -impl VTab for CSVTab { +unsafe impl VTab for CSVTab { type Aux = (); type Cursor = CSVTabCursor; @@ -296,7 +296,7 @@ impl CSVTabCursor { } } -impl VTabCursor for CSVTabCursor { +unsafe impl VTabCursor for CSVTabCursor { // Only a full table scan is supported. So `filter` simply rewinds to // the beginning. fn filter(
src/vtab/mod.rs+7 −3 modified@@ -189,7 +189,11 @@ impl VTabConnection { /// `feature = "vtab"` Virtual table instance trait. /// -/// Implementations must be like: +/// # Safety +/// +/// The first item in a struct implementing VTab must be +/// `rusqlite::sqlite3_vtab`, and the struct must be `#[repr(C)]`. +/// /// ```rust,ignore /// #[repr(C)] /// struct MyTab { @@ -200,7 +204,7 @@ impl VTabConnection { /// ``` /// /// (See [SQLite doc](https://sqlite.org/c3ref/vtab.html)) -pub trait VTab: Sized { +pub unsafe trait VTab: Sized { type Aux; type Cursor: VTabCursor; @@ -465,7 +469,7 @@ impl OrderBy<'_> { /// ``` /// /// (See [SQLite doc](https://sqlite.org/c3ref/vtab_cursor.html)) -pub trait VTabCursor: Sized { +pub unsafe trait VTabCursor: Sized { /// Begin a search of a virtual table. /// (See [SQLite doc](https://sqlite.org/vtab.html#the_xfilter_method)) fn filter(&mut self, idx_num: c_int, idx_str: Option<&str>, args: &Values<'_>) -> Result<()>;
src/vtab/series.rs+2 −2 modified@@ -49,7 +49,7 @@ struct SeriesTab { base: ffi::sqlite3_vtab, } -impl VTab for SeriesTab { +unsafe impl VTab for SeriesTab { type Aux = (); type Cursor = SeriesTabCursor; @@ -181,7 +181,7 @@ impl SeriesTabCursor { SeriesTabCursor::default() } } -impl VTabCursor for SeriesTabCursor { +unsafe impl VTabCursor for SeriesTabCursor { fn filter(&mut self, idx_num: c_int, _idx_str: Option<&str>, args: &Values<'_>) -> Result<()> { let idx_num = QueryPlanFlags::from_bits_truncate(idx_num); let mut i = 0;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6q5w-m3c5-rv95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35866ghsaADVISORY
- github.com/rusqlite/rusqlite/commit/c9ef5bd63cad5c0c123344c072b490a1a9bcbe1fghsaWEB
- github.com/rusqlite/rusqlite/releases/tag/0.23.0ghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0014.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.