CVE-2021-25904
Description
An issue was discovered in the av-data crate before 0.3.0 for Rust. A raw pointer is dereferenced, leading to a read of an arbitrary memory address, sometimes causing a segfault.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The av-data crate before 0.3.0 in Rust contains a memory-safety bug where a safe API dereferences a raw pointer, enabling arbitrary memory reads and segfaults.
Root
Cause
The vulnerability resides in the Frame::copy_from_raw_parts() function of the av-data crate (versions prior to 0.3.0). The function is declared as a safe (non-unsafe) API but does not validate the pointers passed as arguments, allowing a caller to supply null or arbitrary addresses. Internally, the function dereferences these pointers without any safety checks, triggering undefined behavior [1][2].
Exploitation
An attacker can trigger the flaw without using any unsafe Rust blocks. The proof-of-concept provided by researchers shows that by passing null pointers for the source planes, the program immediately segfaults upon calling copy_from_raw_parts(). Since the function is safe, any downstream crate that uses av-data and exposes this function to user input can be exploited to cause a denial-of-service (segfault) or—depending on memory layout—potentially read sensitive data from arbitrary addresses [2][3].
Impact
The issue leads to a read of an arbitrary memory address, which can crash the application (segmentation fault) or leak memory contents. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) rates the availability impact as High, while confidentiality is rated None, although arbitrary reads could in practice disclose information. No authentication or user interaction is required if the vulnerable function is reachable over the network [1][2].
Mitigation
Users should upgrade to av-data version 0.3.0 or later, which patches the issue by either validating pointers or marking the API as unsafe. No workaround is available; any code that calls copy_from_raw_parts() with untrusted inputs must be updated [1][2]. The advisory is also tracked as RUSTSEC-2021-0007 and GHSA-352p-rhvq-7g78 [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
av-datacrates.io | < 0.3.0 | 0.3.0 |
Affected products
3- Rust/av-datadescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing pointer validation in `Frame::copy_from_raw_parts` allows dereferencing null or arbitrary memory addresses from safe Rust code."
Attack vector
An attacker can craft a call to `Frame::copy_from_raw_parts` with null or arbitrary raw pointers, causing the function to dereference an invalid memory address. Because the function is not marked `unsafe`, this undefined behavior can be triggered from safe Rust code without any `unsafe` block [ref_id=1]. The proof-of-concept passes a vector of null pointers as the source data, leading to an immediate segmentation fault [ref_id=1].
Affected code
The vulnerable function is `Frame::copy_from_raw_parts` in the `av-data` crate (file path not specified in the advisory). The function accepts raw pointers from the caller without validating their validity [ref_id=1].
What the fix does
The advisory recommends changing `Frame::copy_from_raw_parts` to an `unsafe` API, since it requires callers to guarantee the validity of the input pointers [ref_id=1]. No patch diff is provided in the bundle; the fix was applied in version 0.3.0 of the crate. Making the function `unsafe` shifts the burden of pointer validation to the caller, which is the standard Rust approach for operations that can cause undefined behavior.
Preconditions
- inputThe attacker must be able to invoke `Frame::copy_from_raw_parts` with attacker-controlled pointer values.
- authNo `unsafe` block is required; the call can be made from safe Rust code.
Reproduction
The following proof-of-concept from the advisory [ref_id=1] reproduces the segfault:
```rust use av_data::frame::*; use av_data::pixel::*;
fn main() { let yuv420: Formaton = *formats::YUV420; let fm = std::sync::Arc::new(yuv420); let video_info = VideoInfo { pic_type: PictureType::I, width: 42, height: 42, format: fm, }; let mut frame = new_default_frame( MediaKind::Video(video_info), None );
frame.copy_from_raw_parts( vec![0 as usize as *const u8; 2].into_iter(), vec![40; 2].into_iter() ); } ```
Run on Ubuntu 18.04 with rustc 1.50.0-nightly to observe a segmentation fault [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-352p-rhvq-7g78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25904ghsaADVISORY
- github.com/rust-av/rust-av/issues/136ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0007.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.