CVE-2020-35885

The vulnerability lies in the StrcCtx struct of the alpm-rs crate, which wraps a raw C string pointer. Its Drop implementation deallocates the pointed memory, but only when created via StrcCtx::new() is this safe. If StrcCtx is constructed directly by assigning a pointer from a Vec or other buffer, the drop handler frees memory that it does not own, causing memory corruption [2].

Exploitation requires a program that uses the alpm-rs crate and creates StrcCtx instances without using the new() function. An attacker can supply a pointer to a Vec’s buffer; when the StrcCtx is dropped, that buffer is freed while the Vec still holds a reference, resulting in use-after-free or double-free. A demonstration shows this leads to memory corruption and panics [2]. No authentication or special network position is required; any code path that triggers the unsafe deallocation suffices.

The impact is critical (CVSS 9.8) [3] as memory safety violations can lead to arbitrary code execution, data corruption, or denial of service. The flaw affects all versions of the alpm-rs crate through 2020-08-20.

No patched version exists; the crate appears unmaintained [3]. Developers should avoid directly constructing StrcCtx and consider switching to a maintained fork or alternative library.