CVE-2021-26957
Description
An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because there is an out-of-bounds read in xcb::xproto::change_property(), as demonstrated by a format=32 T=u8 situation where out-of-bounds bytes are sent to an X server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The xcb crate for Rust has a soundness violation in change_property() allowing out-of-bounds read, sending unintended bytes to X server.
The xcb crate (rust-xcb) contains a soundness violation in the xcb::xproto::change_property() function, as identified in CVE-2021-26957 [1][2]. The bug manifests when a caller provides a format=32 parameter together with a data slice of type u8, which has a different element size (1 byte) than the expected 4 bytes per element. This mismatch leads to an out-of-bounds read, where the function calculates the number of elements from the buffer length divided by the format size (32 bits = 4 bytes), but then reads the entire buffer as if each element is 4 bytes, thereby reading beyond the actual data [2].
The vulnerability can be triggered by any user who can send X11 requests via the xcb crate, which typically requires local network access to an X server. The attacker crafts a call to change_property() with a malformed combination of format and data type, causing the function to read memory past the end of the provided slice. This out-of-bounds data is then transmitted as part of the X11 protocol request to the X server [2]. No special authentication is needed beyond the existing X11 connection, as the function is part of the public API of the crate.
The impact of this flaw is primarily information disclosure through memory exposure, as the out-of-bounds bytes may contain sensitive data from the application's heap or stack. Additionally, sending arbitrary data to the X server could lead to unpredictable behavior, possibly facilitating further attacks if the server interprets the leaked data in a harmful manner [2]. The RustSec advisory notes that the crate is unsound and unmaintained, with the maintainer stating they cannot keep up with Rust development [4].
As of the advisory publication date (2021-02-04), there is no patched release of the xcb crate that fixes this issue. The maintainer has expressed that the project is unmaintained, and users are advised to consider alternatives or avoid using the affected change_property() function [2][4]. The RustSec database recommends migrating to maintained alternatives for X11 bindings in Rust.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xcbcrates.io | < 1.0.0 | 1.0.0 |
Affected products
2- Rust/xcbdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2xpg-3hx4-fm9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-26957ghsaADVISORY
- github.com/RustSec/advisory-db/issues/653ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0019.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.