CVE-2020-35878

The ozone Rust crate, a pure-Rust key/value store, contains a vulnerability that leads to memory safety violations. Specifically, the crate allows the dropping of uninitialized memory, which can trigger undefined behavior (UB) such as use-after-free or double-free conditions. This flaw is part of a broader set of memory safety issues identified in the crate, including out-of-bounds access [1][2].

Exploitation of this vulnerability does not require authentication or special privileges, as the issue manifests through normal crate operations. An attacker with network access could potentially trigger the unsafe memory operations by crafting inputs that cause the crate to drop uninitialized structures. The CVSS score of 9.8 (Critical) reflects the low attack complexity and the fact that no user interaction is needed [2].

Successful exploitation could allow an attacker to achieve arbitrary code execution, read sensitive memory, or cause a denial of service. The vulnerability affects all versions of the 'ozone' crate up to the reported date (2020-07-04), and the advisory notes that no patched version has been released, meaning the crate is considered permanently unmaintained for security fixes [2].