CVE-2020-36514
Description
An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
acc_reader crate through 2020-12-27 passes an uninitialized buffer to the Read trait, enabling memory exposure and undefined behavior.
Vulnerability
The acc_reader crate (versions through 2020-12-27) contains a soundness bug in its BufRead implementation. The fill_buf() and read_up_to() methods use unsafe code to set the buffer length before reading from the underlying source via self.source.read(&mut self.buf[self.pos..]). After reserving capacity, the code performs unsafe { self.buf.set_len(old_len + self.inc); }, which makes uninitialized memory accessible. The Read implementation provided by the user may read from this uninitialized region, producing undefined values. The issue is described in the advisory [RUSTSEC-2020-0155] [3] and the original issue report [1].
Exploitation
An attacker can exploit this vulnerability if they can control or influence the Read implementation that is passed to AccReader. The Read trait implementation can read from the uninitialized buffer, exposing memory contents, or return an incorrect number of bytes, causing undefined behavior. No special authentication or network position is required beyond the ability to supply a custom Read type. The exploit sequence involves calling fill_buf() or read_up_to() on the AccReader, which triggers the unsafe buffer length manipulation and then passes the uninitialized slice to the user-provided Read::read() method [1][3].
Impact
Successful exploitation leads to memory exposure (information disclosure) and potentially undefined behavior. Reading from uninitialized memory can produce undefined values that may quickly trigger undefined behavior in Rust, such as logic errors, crashes, or further memory corruption. The impact aligns with a "memory-exposure" and "Unsound" classification [3]. The attacker may gain access to sensitive data from the process's memory or cause unpredictable program behavior.
Mitigation
As of the RustSec advisory [3], no patched version of the acc_reader crate exists. The repository README notes that the maintainer is no longer able to support the library and is looking for a new maintainer, suggesting no fix will be forthcoming [4]. Users should avoid using the acc_reader crate or replace it with an alternative that does not have this soundness issue. The crate is unmaintained, so no update is expected.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
acc_readercrates.io | <= 2.0.0 | — |
Affected products
2- acc_reader/acc_readerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-p4cr-64x4-f92fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36514ghsaADVISORY
- github.com/netvl/acc_reader/issues/1ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/acc_reader/RUSTSEC-2020-0155.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0155.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.