VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35869

CVE-2020-35869

Description

An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated because rusqlite::trace::log mishandles format strings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-35869: In rusqlite before 0.23.0, the `trace::log` function mishandles format strings, allowing memory safety violations.

Vulnerability

Description

CVE-2020-35869 affects the rusqlite crate for Rust before version 0.23.0. The issue is that rusqlite::trace::log mishandles format strings, which can lead to memory safety violations [1][4]. This specific flaw is one of several memory safety issues addressed in the 0.23.0 release, which was the result of an audit of unsafe code in the crate [4].

Attack

Vector and Prerequisites

The vulnerability is triggered through the rusqlite::trace::log function when it is called with a format string argument that is not properly validated. An attacker who can control the format string or influence the arguments passed to this function could exploit the mishandling. The attack does not require authentication or a specific network position; it depends on code within the application that uses rusqlite calling the logging API with attacker-controlled format strings.

Impact

Successful exploitation could allow an attacker to cause memory corruption, potentially leading to arbitrary code execution or a denial of service. The crash or corruption occurs within the memory space of the process using rusqlite. Because the issue involves format string handling, it may also enable reading unintended memory contents, depending on how the format string is abused [2][4].

Mitigation

The fix was released in rusqlite version 0.23.0 [3][4]. Users should update to this version or later. The advisory notes that the impacted APIs were fundamentally unsound and could not be fixed without breaking changes, hence the major version bump [4]. For those using default features, the vulnerable API may not be exposed, but updating is still recommended as a best practice.

References
  1. GitHub - rusqlite/rusqlite: Ergonomic bindings to SQLite for Rust
  2. Various memory safety issues › RustSec Advisory Database
  3. NVD - CVE-2020-35869
  4. Release rusqlite 0.23.0, libsqlite-sys 0.18.0 · rusqlite/rusqlite

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rusqlitecrates.io
< 0.23.00.23.0

Affected products

2

Patches

2
54043c803c83

Prep release 0.23.0

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 23, 2020via osv
commit
1 file changed · +1 1
  • Cargo.toml+1 1 modified
    @@ -1,6 +1,6 @@
 [package]
 name = "rusqlite"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["The rusqlite developers"]
 edition = "2018"
 description = "Ergonomic wrapper for SQLite"
2327d3b77492

Fix format string error in rusqlite::trace::log

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 14, 2020via ghsa
commit
1 file changed · +1 1
  • src/trace.rs+1 1 modified
    @@ -61,7 +61,7 @@ pub unsafe fn config_log(callback: Option<fn(c_int, &str)>) -> Result<()> {
 pub fn log(err_code: c_int, msg: &str) {
     let msg = CString::new(msg).expect("SQLite log messages cannot contain embedded zeroes");
     unsafe {
-        ffi::sqlite3_log(err_code, msg.as_ptr());
+        ffi::sqlite3_log(err_code, b"%s\0" as *const _ as *const c_char, msg.as_ptr());
     }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.