CVE-2021-26951

Vulnerability

CVE-2021-26951 is a memory-safety vulnerability in the calamine crate (Rust) affecting versions prior to 0.17.0. The bug resides in the Sectors::get function, which unsafely calls Vec::set_len to extend the internal buffer without first reserving the required capacity. This allows writing into uninitialized heap memory via a user-controlled Read operation [1][2].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted spreadsheet file (e.g., XLS or ODS) that causes the library to read data into the uninitialized region. No authentication or special network position is required; any code path that opens a malicious file with the affected crate can exploit the issue [3]. The get method directly uses r.read(&mut self.data[len..end]) on memory that may overlap with other allocations, leading to heap corruption.

Impact

Successful exploitation can lead to arbitrary heap memory overwrites, potentially enabling code execution, data corruption, or information disclosure. The RustSec advisory assigns a CVSS score of 9.8 (Critical) due to the network attack vector and the lack of privileges required [4].

Mitigation

Users should update to calamine version 0.17.0 or later, which properly reserves memory before calling set_len. No workarounds are available; running an unpatched version with untrusted files poses a serious risk [1][4].