CVE-2020-36433

Vulnerability

The chunky crate (versions up to and including 0.3.7) provides a Chunk API for storing heterogeneous data. The `Deref` and `DerefMut` implementations for Value cast the internal chunk pointer directly to a reference of type V without ensuring that the pointer is properly aligned for V. This violates Rust's safety guarantees and results in undefined behavior [1][2][3].

Exploitation

An attacker can exploit this by creating a value with a type that has a large alignment requirement (e.g., #[repr(align(256))]) and then using the Value::load_or_default or similar API to obtain a reference. The resulting reference may be unaligned, as demonstrated in the proof-of-concept code: the assertion v % align_of::() == 0 fails [2]. No special privileges or user interaction is required; the attack vector is network-based (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) [3].

Impact

Successful exploitation leads to undefined behavior, which can manifest as memory corruption or incorrect program behavior. The CVSS score indicates a high integrity impact, meaning an attacker could potentially corrupt data in memory. However, the exact consequences depend on the Rust compiler and runtime environment; possible outcomes include crashes, data leaks, or arbitrary code execution [1][2][3].

Mitigation

As of the latest advisory (June 2023), there are no patched versions of the chunky crate [3]. The only mitigation is to avoid using the crate entirely until a fix is released. Alternatively, users can manually ensure alignment by wrapping accesses in alignment checks, but this is not a robust solution [1][2].