CVE-2021-29939

Vulnerability

Overview

The StackVec::extend method in the Rust stackvector crate (prior to version 1.0.9) contains an out-of-bounds write flaw due to improper handling of iterator size_hint data. The function uses the iterator's reported upper bound to check capacity, but then writes up to lower_bound elements directly into the stack-allocated buffer using unsafe pointer arithmetic [1][3]. If an iterator reports an upper bound smaller than its lower bound, the safety check passes while the loop writes beyond the allocated stack memory, corrupting adjacent data.

Exploitation

Surface

An attacker can trigger this vulnerability by supplying a crafted iterator that returns a size_hint with a lower bound exceeding its upper bound. For example, a malicious iterator reporting size_hint(10, 1) would pass the capacity check (since the upper bound appears small) but then attempt to write 10 elements into insufficient space [1]. The issue requires no special privileges or user interaction; a program using StackVec::extend with untrusted iterator input is at risk. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects the broad network attack surface [3].

Impact

Successful exploitation results in an out-of-bounds write on the stack, which can corrupt adjacent memory. This may lead to crashes, data corruption, or potentially arbitrary code execution, depending on the memory layout and the attacker's control over the overwritten data [3]. The vulnerability affects the confidentiality, integrity, and availability of the application, though each is rated as low impact in the CVSS score.

Mitigation

The issue was patched in stackvector version 1.0.9, released on March 30, 2021. Users should update to at least this version. The advisory is tracked under RUSTSEC-2021-0048 [3]. No workaround exists other than avoiding the use of StackVec::extend with untrusted iterators before patching.