CVE-2020-36512
Description
An issue was discovered in the buffoon crate through 2020-12-31 for Rust. InputStream::read_exact may read from uninitialized memory locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The buffoon crate's InputStream::read_exact method passes an uninitialized buffer to a user-provided Read implementation, causing undefined behavior.
Vulnerability
The buffoon crate (versions up to 2020-12-31) contains a soundness vulnerability in InputStream::read_exact. This method creates an uninitialized buffer and passes it directly to a user-provided Read implementation [1][2]. The Rust standard library's Read trait documentation explicitly warns that calling read with an uninitialized buffer is not safe and can lead to undefined behavior [4]. This affects all versions of the crate that were available up to the reported date, and no patched versions have been released [2].
Exploitation
An attacker who can control the Read implementation that gets passed to InputStream::read_exact (for example, when the attacker can provide the data being read or can influence the implementation through other means) can trigger undefined behavior. The attacker's Read implementation can read from the uninitialized buffer, leading to memory exposure, and can also return an incorrect number of bytes written to the buffer, producing undefined values [2]. No special privileges are required beyond the ability to supply a custom Read implementation for the vulnerable method call.
Impact
Successful exploitation results in undefined behavior (UB) due to reading from uninitialized memory. This can lead to information disclosure (memory exposure), and because undefined values can quickly propagate, it may cause a wide range of further impacts including program crashes, data corruption, or potential code execution depending on how the undefined values are used [2]. The vulnerability is classified under the memory-exposure category and is considered unsound (INFO level) by the RustSec advisory database [2].
Mitigation
As of the last update from the advisory database (June 13, 2023), no patched versions of the buffoon crate have been released [2]. The vulnerability was reported on December 31, 2020, and the issue was acknowledged by the maintainers in a GitHub issue [4]. Users are advised to avoid using the buffoon crate or to replace it with an alternative for Protocol Buffers in Rust. The crate does not appear to be actively maintained. No workaround is available within the crate itself. This vulnerability is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
buffooncrates.io | <= 0.5.0 | — |
Affected products
3- buffoon/buffoondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-v938-qcc9-rwv8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36512ghsaADVISORY
- github.com/carllerche/buffoon/issues/2ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/buffoon/RUSTSEC-2020-0154.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0154.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.