VYPR
← All advisories
High severityNVD Advisory· Published Aug 8, 2021· Updated Aug 4, 2024

CVE-2020-36464

CVE-2020-36464

Description

In heapless before 0.6.1, IntoIter::Clone clones the full backing Vec even when partially consumed, causing use-after-free and double-free.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In heapless before 0.6.1, IntoIter::Clone clones the full backing Vec even when partially consumed, causing use-after-free and double-free.

Vulnerability

The heapless crate (versions prior to 0.6.1) contains an unsoundness in the IntoIter::Clone implementation. The Clone trait for IntoIter clones the entire underlying Vec without accounting for whether the iterator has been partially consumed via next() calls. This results in a use-after-free and double-free scenario where already-dropped elements are cloned and then later dropped again [1][2][3].

Exploitation

An attacker does not require any special network position or authentication; the vulnerability is triggered entirely by normal usage of the crate's API. The affected code path is executed when a user calls .clone() on a IntoIter that has been partially advanced (e.g., after calling next() and dropping the returned item). No race conditions or user interaction beyond programmatic calls are needed. A minimal proof-of-concept involves creating a Vec, converting it to IntoIter, calling next() on the iterator, and then calling clone() on the iterator [3].

Impact

Successful exploitation leads to memory corruption: cloning already-dropped elements results in a use-after-free (reading freed memory) and a double-free (dropping elements again). This can cause undefined behavior, including arbitrary code execution or denial of service. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) scores availability impact as High, though the unsoundness can also undermine memory safety in other ways [1][2].

Mitigation

The vulnerability is fixed in heapless version 0.6.1 and later. Users should update to >=0.6.1 immediately. The fix ensures that IntoIter::Clone only clones the remaining unconsumed elements of the iterator. No workaround is available for earlier versions; patching the dependency is the only mitigation [2][3].

References
  1. NVD - CVE-2020-36464
  2. Use-after-free when cloning a partially consumed `Vec` iterator › RustSec Advisory Database
  3. Unsoundness in vec::IntoIter::clone()

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
heaplesscrates.io
< 0.6.10.6.1

Affected products

2

Patches

1
96f38a6f738d

Merge pull request #194 from AfoHT/release_0.6.1

https://github.com/japaric/heaplessEmil FreskMar 2, 2021via osv
commit
2 files changed · +10 2
  • Cargo.toml+1 1 modified
    @@ -17,7 +17,7 @@ keywords = [
 license = "MIT OR Apache-2.0"
 name = "heapless"
 repository = "https://github.com/japaric/heapless"
-version = "0.6.0"
+version = "0.6.1"
 
 [features]
 default = ["cas"]
  • CHANGELOG.md+9 1 modified
    @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [v0.6.1] - 2021-03-02
+
+### Fixed
+
+- Security issue.
+
 ## [v0.6.0] - 2021-02-02
 
 ### Changed
@@ -323,7 +329,9 @@ architecture.
 
 - Initial release
 
-[Unreleased]: https://github.com/japaric/heapless/compare/v0.5.5...HEAD
+[Unreleased]: https://github.com/japaric/heapless/compare/v0.6.1...HEAD
+[v0.6.1]: https://github.com/japaric/heapless/compare/v0.6.0...v0.6.1
+[v0.6.0]: https://github.com/japaric/heapless/compare/v0.5.5...v0.6.0
 [v0.5.5]: https://github.com/japaric/heapless/compare/v0.5.4...v0.5.5
 [v0.5.4]: https://github.com/japaric/heapless/compare/v0.5.3...v0.5.4
 [v0.5.3]: https://github.com/japaric/heapless/compare/v0.5.2...v0.5.3

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.