Critical severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35872

Description

An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via the repr(Rust) type.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory safety vulnerability in rusqlite before 0.23.0 due to incorrect use of repr(Rust) type for SQLite auxdata, leading to potential memory corruption.

The vulnerability affects the rusqlite crate for Rust prior to version 0.23.0. The issue arises because the crate used a Rust tuple (std::any::TypeId, T) without an explicit #[repr(C)] attribute when storing auxiliary data via SQLite's sqlite3_set_auxdata API. Since SQLite's C API expects data with a C-compatible memory layout, the default repr(Rust) layout can differ, causing undefined behavior and potential memory safety violations [2][4].

Exploitation requires the use of user-defined SQL functions that call set_aux and get_aux methods on Context. An attacker could craft input that triggers type confusion or memory corruption when the data is accessed, leading to crashes or worse. No authentication is needed if the attacker can inject SQL queries that invoke such functions, but the attack surface is limited to environments where user-defined functions are exposed [2][3].

The impact includes denial of service due to memory corruption, and in some cases, arbitrary code execution may be possible. The RustSec advisory lists this as a memory safety issue, highlighting the severity of violating Rust's safety guarantees through improper FFI [2].

The fix was implemented in commit 71b2f5187b0cbace3f8b6ff53432ff2ca0defcf0, which introduced a #[repr(C)] struct AuxData to ensure a stable layout compatible with SQLite. Users should upgrade to rusqlite version 0.23.0 or later to mitigate the vulnerability [3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rusqlitecrates.io	< 0.23.0	0.23.0

Affected products

Rust/rusqlitedescription
ghsa-coords
pkg:cargo/rusqlite
Range: < 0.23.0

Patches

54043c803c83

Prep release 0.23.0

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 23, 2020via osv

commit

1 file changed · +1 −1

Cargo.toml+1 −1 modified

@@ -1,6 +1,6 @@
 [package]
 name = "rusqlite"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["The rusqlite developers"]
 edition = "2018"
 description = "Ergonomic wrapper for SQLite"

71b2f5187b0c

Ensure type use for auxdata is repr(C)

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 12, 2020via ghsa

commit

1 file changed · +16 −6

src/functions.rs+16 −6 modified

@@ -67,6 +67,7 @@
 //!     Ok(())
 //! }
 //! ```
+use std::any::TypeId;
 use std::os::raw::{c_int, c_void};
 use std::panic::{catch_unwind, RefUnwindSafe, UnwindSafe};
 use std::ptr;
@@ -177,13 +178,16 @@ impl Context<'_> {
     /// https://www.sqlite.org/c3ref/get_auxdata.html for a discussion of
     /// this feature, or the unit tests of this module for an example.
     pub fn set_aux<T: 'static>(&self, arg: c_int, value: T) {
-        let boxed = Box::into_raw(Box::new((std::any::TypeId::of::<T>(), value)));
+        let boxed = Box::into_raw(Box::new(AuxData {
+            id: TypeId::of::<T>(),
+            value,
+        }));
         unsafe {
             ffi::sqlite3_set_auxdata(
                 self.ctx,
                 arg,
                 boxed as *mut c_void,
-                Some(free_boxed_value::<(std::any::TypeId, T)>),
+                Some(free_boxed_value::<AuxData<T>>),
             )
         };
     }
@@ -192,20 +196,26 @@ impl Context<'_> {
     /// via `set_aux`. Returns `Ok(None)` if no data has been associated,
     /// and .
     pub fn get_aux<T: 'static>(&self, arg: c_int) -> Result<Option<&T>> {
-        let p = unsafe { ffi::sqlite3_get_auxdata(self.ctx, arg) as *mut (std::any::TypeId, T) };
+        let p = unsafe { ffi::sqlite3_get_auxdata(self.ctx, arg) as *const AuxData<T> };
         if p.is_null() {
             Ok(None)
         } else {
-            let id_val = unsafe { &*p };
-            if std::any::TypeId::of::<T>() != id_val.0 {
+            let id = unsafe { (*p).id };
+            if TypeId::of::<T>() != id {
                 Err(Error::GetAuxWrongType)
             } else {
-                Ok(Some(&id_val.1))
+                Ok(Some(unsafe { &(*p).value }))
             }
         }
     }
 }
 
+#[repr(C)]
+struct AuxData<T: 'static> {
+    id: TypeId,
+    value: T,
+}
+
 /// `feature = "functions"` Aggregate is the callback interface for user-defined
 /// aggregate function.
 ///

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g4w7-3qr8-5623ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-35872ghsaADVISORY
github.com/rusqlite/rusqlite/commit/71b2f5187b0cbace3f8b6ff53432ff2ca0defcf0ghsaWEB
github.com/rusqlite/rusqlite/releases/tag/0.23.0ghsax_refsource_MISCWEB
rustsec.org/advisories/RUSTSEC-2020-0014.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000