CVE-2021-45686
Description
An issue was discovered in the csv-sniffer crate through 2021-01-05 for Rust. preamble_skipcount may read from uninitialized memory locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The csv-sniffer crate through 2021-01-05 passes an uninitialized buffer to a user-provided Read implementation, leading to undefined behavior.
Vulnerability
CVE-2021-45686 is a memory-safety/soundness issue in the csv-sniffer crate for Rust, up to version 0.1.2. The function preamble_skipcount() in src/lib.rs creates a buffer with Vec::with_capacity(cap) and then uses unsafe { buffer.set_len(cap); } to set the length without initializing the memory [1][2][3]. This uninitialized buffer is then passed to a user-provided std::io::Read implementation via reader.read(&mut buffer) [3]. The affected versions pass an uninitialized buffer to user-provided code, violating Rust's safety guarantees.
Exploitation
To exploit this vulnerability, an attacker must control the Read implementation passed to preamble_skipcount() [2][3]. The function is pub(crate), so it is accessible within the crate and potentially through public APIs that expose it to external Read types. When the function is invoked, the Read::read() method can read the uninitialized buffer, exposing heap memory contents from previous allocations [3]. Additionally, if the Read implementation returns an arbitrary byte count, it can cause undefined behavior immediately [2]. No authentication or special privileges are required; only the ability to pass a crafted Read instance to the vulnerable function.
Impact
Successful exploitation allows an attacker to read uninitialized memory (memory exposure), resulting in the disclosure of sensitive data from the heap [2][3]. This can lead to undefined behavior (UB) because reading uninitialized memory produces undefined values that may include addresses or secrets [2]. The attacker may also cause further UB if the Read implementation returns incorrect byte counts, potentially leading to other security issues such as buffer over-reads or logic errors.
Mitigation
The vulnerability is fixed in version 0.2.0 of the csv-sniffer crate [2]. Patches were contributed in pull request #2 [4], which modernizes the code and removes the use of uninitialized buffers. Users should update to csv-sniffer >=0.2.0 immediately [2]. There is no known workaround for affected versions; the crate must be upgraded to avoid the unsound behavior.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
csv-sniffercrates.io | < 0.2.0 | 0.2.0 |
Affected products
3- csv-sniffer/csv-snifferdescription
- Range: <=2021-01-05
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9783-42pm-x5jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45686ghsaADVISORY
- github.com/jblondin/csv-sniffer/issues/1ghsaWEB
- github.com/jblondin/csv-sniffer/pull/2ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/csv-sniffer/RUSTSEC-2021-0088.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0088.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.