CVE-2021-30455
Description
An issue was discovered in the id-map crate through 2021-02-26 for Rust. A double free can occur in IdMap::clone_from upon a .clone panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double-free vulnerability in id-map Rust crate via `clone_from` and `get_or_insert` when user-provided operations panic.
Vulnerability
The id-map crate (versions through 2021-02-26) for Rust contains a double-free vulnerability in the IdMap::clone_from and get_or_insert functions. In clone_from, the implementation drops existing values before cloning from another map. If T::clone panics during the cloning loop, previously dropped values are freed again, causing a double-free. In get_or_insert, space is reserved for a new value before calling the user-provided insertion function f. If f panics, the reserved but unwritten memory can lead to a double-free when the map is subsequently dropped. This is a panic safety issue arising from improper handling of unwind safety in unsafe code [1][3].
Exploitation
An attacker does not need special network position or authentication; the vulnerability is triggered purely by causing a panic during a controlled operation. For clone_from, the attacker must supply a type T whose clone() method panics under predictable conditions (e.g., on a specific clone call). For get_or_insert, the attacker must control the insertion function f to panic after space is reserved but before the value is written. No user interaction beyond running code that uses the affected functions is required [1][3].
Impact
A double-free in Rust’s memory model can corrupt the allocator state, leading to a program crash (denial of service) or potentially memory corruption that an attacker could exploit for arbitrary code execution if the environment meets certain conditions. The impact is undefined behavior in safe Rust code, theoretically enabling privilege escalation within the process. However, the advisory notes that no patched version exists, so the risk remains unmitigated [1][2][3].
Mitigation
As of the advisory publication (April 2, 2021) and subsequent updates, no patched version of id-map has been released; the crate is considered unmaintained [3]. The only mitigation is to avoid using the id-map crate entirely, replacing it with safer alternatives such as indexmap or slotmap. Users cannot safely call clone_from or get_or_insert without risking double-frees. There is no KEV listing for this CVE [2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
id-mapcrates.io | <= 0.2.1 | — |
Affected products
2- Rust/id-mapdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8gmx-cpcg-f8h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-30455ghsaADVISORY
- github.com/andrewhickman/id-map/issues/3ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0052.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.