CVE-2021-26306

Vulnerability

Details

The raw-cpuid crate, which parses the x86 CPUID instruction, contains unsound transmute calls in several as_string() methods, including VendorInfo::as_string(), SoCVendorBrand::as_string(), and ExtendedFunctionInfo::processor_brand_string(). These methods construct byte slices using std::slice::from_raw_parts() on data stored in #[repr(Rust)] structs. Because Rust's default struct layout is unspecified, this is always undefined behavior [1][2].

Exploitation

The vulnerability is triggered whenever the affected as_string() methods are called on CPUID data. While CPUID data is typically read from hardware, an attacker with control over the CPUID output—such as through a malicious hypervisor or compromised firmware—could potentially exploit the undefined behavior to cause memory corruption. More broadly, any application using the vulnerable crate may encounter undefined behavior during normal operation, leading to crashes or unpredictable program behavior [2].

Impact

Undefined behavior in Rust can result in memory corruption, denial of service, or, under certain compiler optimizations, arbitrary code execution. The RustSec advisory categorizes this issue as both memory-corruption and denial-of-service [2].

Mitigation

The issue has been fixed in version 9.0.0 of the raw-cpuid crate by making the relevant structs #[repr(C)], which guarantees a stable memory layout and eliminates the undefined behavior [1][2]. Users should update to version 9.0.0 or later. No workaround is available for earlier versions.