CVE-2020-35900

The array-queue Rust crate up to 2020-09-26 contains a use-after-free vulnerability in its pop_back() method. The root cause is that pop_back() calculates the element index as self.length - 1 without accounting for the start offset, which becomes misaligned after pop_front() operations [2]. This leads to reading from uninitialized or previously dropped memory, potentially causing double drops and arbitrary read primitives in safe Rust [3].

Exploitation requires the ability to call pop_back() after a pop_front() on the same queue. No authentication is needed, but the attacker must have local access and the ability to execute code that manipulates the queue. The attack complexity is low, and no user interaction is required [2].

The impact is primarily on confidentiality, as an attacker can read uninitialized memory or previously freed data, which may contain sensitive information. Integrity and availability are not directly affected, but the double-drop can lead to undefined behavior, including crashes [2][3].

As of the advisory date, no patched version of the crate exists. Users are advised to avoid using the pop_back() function on queues that have undergone pop_front() operations, or to migrate to alternative implementations [2].