VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35916

CVE-2020-35916

Description

An issue was discovered in the image crate before 0.23.12 for Rust. A Mutable reference has immutable provenance. (In the case of LLVM, the IR may be always correct.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A soundness issue in the Rust `image` crate before 0.23.12 allows creating a mutable reference from an immutable pointer, potentially leading to undefined behavior.

Vulnerability

Details

The image crate for Rust contained a soundness bug in the Bgr::from_slice_mut function (and similar methods) that constructed a mutable slice from a pointer obtained via slice::as_ptr, which only grants immutable provenance [1][3][4]. According to Rust's aliasing rules, a mutable reference must have mutable provenance; using an immutable pointer to create a mutable reference is undefined behavior (UB) [4]. The commit fixing the issue notes that while current LLVM IR may not exploit this, stricter future optimizations could [4].

Exploitation

The vulnerability is classified as local, with low attack complexity and low privileges required (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [3]. An attacker with local access could craft input that triggers the unsound code path, potentially causing undefined behavior. However, the RustSec advisory indicates that no known miscompilation has been observed under current LLVM versions [3][4].

Impact

The primary impact is on availability, rated as high (CVSS 5.5 MEDIUM) [3]. Exploitation could lead to crashes or memory corruption. There is no direct impact on confidentiality or integrity [3].

Mitigation

The issue was patched in version 0.23.12 of the image crate [3][4]. Users are advised to update to the latest version. The fix replaces the use of as_ptr with as_mut_ptr to ensure proper mutable provenance [4].

References
  1. GitHub - image-rs/image: Encoding and decoding images in Rust
  2. Mutable reference with immutable provenance › RustSec Advisory Database
  3. Fix assembling mutable slice from const reference · image-rs/image@5cbe1e6

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
imagecrates.io
< 0.23.120.23.12

Affected products

2

Patches

2
07b0b85261d2

Update release notes and meta data for 0.23.12

https://github.com/image-rs/imageAndreas MolzerNov 18, 2020via osv
commit
2 files changed · +19 1
  • Cargo.toml+1 1 modified
    @@ -1,6 +1,6 @@
 [package]
 name = "image"
-version = "0.23.11"
+version = "0.23.12"
 edition = "2018"
 license = "MIT"
 description = "Imaging library written in Rust. Provides basic filters and decoders for the most common image formats."
  • CHANGES.md+18 0 modified
    @@ -10,6 +10,24 @@ Rust image aims to be a pure-Rust implementation of various popular image format
 
 ## Changes
 
+### Version 0.23.12
+
+- Fix a soundness issue affecting the impls of `Pixel::from_slice_mut`. This
+  would previously reborrow the mutable input reference as a shared one but
+  then proceed to construct the mutable result reference from it. While UB
+  according to Rust's memory model, we're fairly certain that no miscompilation
+  can happen with the LLVM codegen in practice.
+  See 5cbe1e6767d11aff3f14c7ad69a06b04e8d583c7 for more details.
+- Fix `imageops::blur` panicking when `sigma = 0.0`. It now defaults to `1.0`
+  as all negative values.
+- Fix re-exporting `png::{CompressionType, FilterType}` to maintain SemVer
+  compatibility with the `0.23` releases.
+
+- Add ImageFormat::from_extension
+- Add copyless DynamicImage to byte slice/vec conversion.
+- Add bit-depth specific `into_` and `to_` DynamicImage conversion methods.
+
+
 ### Version 0.23.11
 
 - The `NeuQuant` implementation is now supplied by `color_quant`. Use of the
5cbe1e6767d1

Fix assembling mutable slice from const reference

https://github.com/image-rs/imageAndreas MolzerNov 12, 2020via ghsa
commit
1 file changed · +1 1
  • src/color.rs+1 1 modified
    @@ -253,7 +253,7 @@ impl<T: Primitive + 'static> Pixel for $ident<T> {
     }
     fn from_slice_mut(slice: &mut [T]) -> &mut $ident<T> {
         assert_eq!(slice.len(), $channels);
-        unsafe { &mut *(slice.as_ptr() as *mut $ident<T>) }
+        unsafe { &mut *(slice.as_mut_ptr() as *mut $ident<T>) }
     }
 
     fn to_rgb(&self) -> Rgb<T> {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.