CVE-2021-26955

Vulnerability

CVE-2021-26955 is a soundness violation in the xcb crate for Rust (versions through 2021-02-04). The issue lies in xcb::xproto::GetAtomNameReply::name(), which calls std::str::from_utf8_unchecked() on bytes received from an X server without validating that they form valid UTF-8 [1][2]. This breaks Rust's safety guarantees because the bytes could come from a malicious or untrusted X server.

Exploitation

An attacker who can control an X server that a client connects to can send arbitrary bytes in the atom name reply. Since the crate does not validate UTF-8, invoking name() on such a reply leads to undefined behavior in safe Rust code [2]. No special privileges beyond network access to the client are required if the client connects to the attacker's X server.

Impact

The undefined behavior can manifest as memory corruption or memory exposure, as categorized in the RustSec advisory [2]. This could potentially be leveraged for further compromise of the client application or data leakage. The crate is also flagged for multiple soundness issues [4].

Mitigation

The xcb crate is unmaintained, as stated in its README [3]. Users are advised to avoid using it entirely and migrate to alternatives such as x11rb or direct Xlib bindings. No patch is available for the affected versions [2][4].