CVE-2020-35888

Vulnerability

Overview

The arr crate (version 0.6.0 and earlier) contains a critical memory safety flaw in the Array::new_from_template function. This function creates a new array by cloning a template element, but it fails to properly initialize the memory before dropping it. As a result, uninitialized memory is passed to the Drop implementation, which can trigger undefined behavior, including reading or writing to arbitrary memory locations [1][3].

Exploitation

Details

An attacker does not need special privileges to trigger this vulnerability; any code that calls Array::new_from_template with a type that has a custom Drop implementation can cause the drop of uninitialized memory. The issue is exacerbated by the fact that the crate also incorrectly implements Sync/Send bounds, allowing non-thread-safe types to be smuggled across thread boundaries, and its Index/IndexMut implementations lack bounds checking [1]. These additional flaws increase the attack surface, but the core CVE-2020-35888 focuses on the uninitialized memory drop.

Impact

Exploiting this vulnerability can lead to memory corruption, data leaks, or arbitrary code execution, depending on how the uninitialized memory is interpreted by the Drop implementation. The RustSec advisory categorizes this as a memory-corruption and thread-safety issue [3]. Since the crate is no longer maintained and no patched versions exist, any application using the arr crate is at risk.

Mitigation

Status

As of the latest advisory (June 2023), there are no patched versions of the arr crate [3]. The recommended mitigation is to avoid using the crate entirely and migrate to safer alternatives, such as Vec or arrayvec. The crate has been flagged in the RustSec database, and users should remove it from their dependencies to prevent exploitation.