CVE-2021-30457

Vulnerability

The remove_set function in the id-map crate (through 2021-02-26) is affected by a double-free vulnerability when a panic occurs inside a Drop implementation of a stored value [1][3]. The issue arises from incorrect handling during panic unwinding, causing previously dropped values to be freed again. This affects all versions of the crate up to the reported date.

Exploitation

An attacker must be able to insert a value whose Drop implementation panics and later call remove_set on that map. This requires the ability to provide a custom type with a panicking Drop impl, which is feasible in environments where user-controlled code can be executed (e.g., libraries processing untrusted data). The panic during the remove_set operation triggers a double free [1].

Impact

A double free can lead to memory corruption, potentially enabling arbitrary code execution, data corruption, or a denial-of-service condition. The exact impact depends on how the memory allocator handles the freed memory and the overall program state [3].

Mitigation

No patched version of the id-map crate has been released [3]. The recommended mitigation is to avoid using the crate with types that may panic in their Drop implementation, or to use alternative crates that provide safer memory handling.