CVE-2021-26958

Vulnerability

The xcb crate for Rust, a set of bindings and wrappers for the X protocol (XCB), contains a soundness violation in versions prior to a fix issued on 2021-02-04. The flaw resides in the xcb::base::cast_event function, which uses std::mem::transmute to return a reference to an arbitrary type without proper type checking [1]. This allows transmutation to a different type than intended, breaking Rust's memory safety guarantees.

Exploitation

The attack surface involves interpreting bytes received from the X11 server as any type the caller chooses. An attacker who can control or influence the data returned by the X server (e.g., via a malicious X server or a compromised display) could cause a Rust application using the xcb crate to interpret memory as an incorrect type [4]. No authentication is required beyond connecting to an X server; the vulnerability is triggered purely by the cast_event function's type coercion.

Impact

A successful exploit could lead to memory corruption or memory exposure [2]. Because the transmute can coerce the reference to an arbitrary type, an attacker could potentially read out-of-bounds memory or cause undefined behavior, depending on how the resulting reference is used. The RustSec advisory lists this as a memory-corruption and memory-exposure vulnerability [2].

Mitigation

The xcb crate is effectively unmaintained as of the advisory publication date [4]. The repository README notes a maintenance request, stating the original author cannot spend time on the project [3]. Users of the crate should migrate to an alternative or ensure they do not rely on the unsound cast_event function. No patched version of the 0.x series has been released; a v1.0 is in preparation but not yet stable [3].