CVE-2021-45681

Vulnerability

The derive-com-impl crate before version 0.1.2, a required dependency for com-impl, provides a faulty implementation of the IUnknown::QueryInterface method. The implementation does not call IUnknown::AddRef before returning the pointer, violating COM specification [2]. This can lead to invalid references and memory corruption.

Exploitation

An attacker would need to trigger calls to QueryInterface on COM objects that use the affected derive macro. The missing AddRef causes the reference count to be lower than expected. Subsequent calls to IUnknown::Release will drop references prematurely, potentially freeing memory while still in use [2]. No authentication or special privileges are required if the affected code is used in a COM context.

Impact

Successful exploitation can lead to invalid references and memory corruption, which may result in denial of service or potentially arbitrary code execution depending on how the freed memory is reused [2]. The vulnerability affects confidentiality, integrity, and availability.

Mitigation

The issue is fixed in version 0.1.2 of derive-com-impl [2][4]. Users should update to >=0.1.2. The RustSec advisory states there is no simple workaround other than manually modifying the expanded macro code to add the AddRef call [2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.