CVE-2020-35895
Description
The stack crate for Rust before 0.3.1 allows out-of-bounds writes in ArrayVec::insert due to a missing upper bound check, leading to potential memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The stack crate for Rust before 0.3.1 allows out-of-bounds writes in ArrayVec::insert due to a missing upper bound check, leading to potential memory corruption.
Vulnerability
Details
The stack crate for Rust, prior to version 0.3.1, contains a critical vulnerability in the ArrayVec::insert method. The method fails to check the upper bound of the insertion index, allowing an out-of-bounds write when an index greater than the array's capacity is provided [3][4]. This missing bounds check can lead to memory corruption.
Exploitation
An attacker can exploit this vulnerability by supplying an index that exceeds the allocated capacity of the ArrayVec. The proof-of-concept demonstrates that inserting an element at index 5 into an array of capacity 2 results in a segmentation fault in release mode due to writing to invalid memory [4]. The vulnerability is remotely exploitable over the network without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N) [3].
Impact
Successful exploitation could allow an attacker to achieve arbitrary memory write, potentially leading to code execution, data corruption, or denial of service. The CVSS score of 9.8 (Critical) reflects the high impact on confidentiality, integrity, and availability [3].
Mitigation
The issue has been addressed in version 0.3.1 of the stack crate. Users are advised to update to the patched version immediately. No workarounds are available [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
stackcrates.io | < 0.3.1 | 0.3.1 |
Affected products
2- Rust/stackdescription
Patches
22 files changed · +3 −3
Cargo.toml+2 −2 modified@@ -1,12 +1,12 @@ [package] name = "stack" -version = "0.3.0" +version = "0.3.1" authors = ["arcnmx"] description = "DSTs and arrays on the stack!" keywords = ["smallvec", "array", "vec", "dst", "stack"] -documentation = "http://arcnmx.github.io/stack-rs/stack/" +documentation = "http://docs.rs/stack/" repository = "https://github.com/arcnmx/stack-rs" readme = "README.md" license = "MIT"
README.md+1 −1 modified@@ -16,6 +16,6 @@ Implements dynamically sized types over stack allocated arrays. [release-badge]: https://img.shields.io/crates/v/stack.svg?style=flat-square [cargo]: https://crates.io/crates/stack [docs-badge]: https://img.shields.io/badge/API-docs-blue.svg?style=flat-square -[docs]: http://arcnmx.github.io/stack-rs/stack/ +[docs]: http://docs.rs/stack/ [license-badge]: https://img.shields.io/badge/license-MIT-ff69b4.svg?style=flat-square [license]: https://github.com/arcnmx/stack-rs/blob/master/COPYING
369e55736f9bAdd bounds check to Vector::insert
1 file changed · +2 −1
src/vector.rs+2 −1 modified@@ -49,9 +49,10 @@ pub trait Vector { } fn insert(&mut self, index: usize, element: Self::Item) { + let len = self.len(); + assert!(index <= len); self.reserve(1); unsafe { - let len = self.len(); let ptr = self.as_mut_ptr().uoffset(index); copy(ptr, ptr.uoffset(1), len - index); write(ptr, element);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h45v-vgvp-3h5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35895ghsaADVISORY
- github.com/arcnmx/stack-rs/commit/369e55736f9bd29c37b1712afc2923f4028148c6ghsaWEB
- github.com/arcnmx/stack-rs/issues/4ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0042.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.