CVE-2021-45682
Description
An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The bronzedb-protocol crate's ReadKVExt implementation reads from uninitialized memory, leading to undefined behavior and potential memory exposure.
Vulnerability
The bronzedb-protocol crate up to version 2021-01-03 for Rust contains a soundness issue in its ReadKVExt trait implementation. The read_key() and read_value() methods create a Vec with uninitialized memory using Vec::set_len() before passing it to a user-provided Read implementation via read_exact(). This allows safe Rust code to read from uninitialized memory locations, which constitutes undefined behavior. Affected versions include all releases up to and including the version dated 2021-01-03; no patched version has been released [1][3][4].
Exploitation
An attacker needs to control the Read implementation supplied to the affected methods. If a user implements the Read trait for a custom type and provides it to ReadKVExt::read_key() or read_value(), the attacker's Read implementation can deliberately read from the uninitialized buffer passed by the crate. The attacker can also return an incorrect number of bytes, causing the buffer to contain uninitialized data upon return. The exploit does not require network access or privilege escalation beyond the ability to pass a malicious Read instance to the affected functions [3][4].
Impact
Successful exploitation allows an attacker to read uninitialized memory, leading to potential exposure of sensitive data (memory disclosure). Since reading uninitialized memory produces undefined values, this can quickly trigger undefined behavior, which may result in more severe consequences such as crashes or arbitrary code execution, depending on how the returned data is used. The compromise occurs entirely within the unsafe code boundary of the crate [3][4].
Mitigation
As of the latest advisory, there is no patched version of bronzedb-protocol available. The RustSec advisory lists "no patched versions" [4]. Users should avoid using the ReadKVExt trait with untrusted Read implementations, or remove reliance on this crate entirely. Alternative crates or manual memory-safe implementations are recommended. No CVE entry has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bronzedb-protocolcrates.io | <= 0.1.0 | — |
Affected products
3- bronzedb-protocol/bronzedb-protocoldescription
- Range: <= 2021-01-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jv2r-jx6q-89jgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45682ghsaADVISORY
- github.com/Hexilee/BronzeDB/issues/1ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/bronzedb-protocol/RUSTSEC-2021-0084.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0084.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.