CVE-2021-29930

Vulnerability

The arenavec crate prior to the fix date of 2021-01-12 contains a panic-safety bug that can trigger a drop of uninitialized memory or a double-free. The issue occurs in the common::Slice::<T, H>::new function when T::default() panics, causing the code to drop uninitialized memory. Additionally, common::SliceVec::<T, H>::resize_with can cause a double-free if T::drop panics [1][2].

Exploitation

An attacker does not need special network position or authentication. The vulnerability is triggered when a program using the arenavec crate invokes the affected functions and a panic occurs during T::default() or T::drop(). An attacker who can control the type T or the closure passed to resize_with to cause a panic can exploit this. No special privileges or user interaction beyond the normal operation of the program is required [1][2].

Impact

Successful exploitation results in memory corruption, specifically a drop of uninitialized memory or a double-free. This can lead to undefined behavior, program crashes, or potentially arbitrary code execution. According to the RustSec advisory, the CVSS score is 7.5 (HIGH), with a high availability impact [2][3].

Mitigation

As of the advisory's publication date (2021-01-12 and last modified 2023-06-13), there is no patched version of the arenavec crate [1][2]. The crate appears unmaintained; users should avoid using it or look for alternative memory management solutions. The vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog.