CVE-2021-29931

The arenavec Rust crate through version 2021-01-12 contains a panic safety vulnerability in functions such as Slice::new and SliceVec::resize_with. When a panic occurs during T::default() or T::drop() within these functions, the crate may drop uninitialized memory or perform a double drop of a value, violating memory safety guarantees [1][2].

Exploitation of this vulnerability requires triggering a panic while the crate's operations are in progress. The CVSS score of 7.5 (High) indicates the attack vector is network-based, with low complexity and no privileges required, though user interaction is not needed [3]. Attackers who can cause a controlled panic, such as through unexpected input, can exploit this unsafe behavior.

Successful exploitation leads to memory corruption, potentially enabling a denial of service. According to the RustSec advisory, no patched version of the crate exists, so users should avoid using this crate or apply alternative mitigations [2].