CVE-2021-45687

Vulnerability

The raw-cpuid crate (versions >=3.2.0, <9.1.1) for Rust contains a vulnerability in the Deserialize implementations for most structs when the non-default serialize feature is enabled [2][4]. The serialization logic lacks sufficient input validation, allowing crafted deserialized data to break internal invariants [1][2]. This affects all releases from 3.2.0 up to but not including 9.1.1 [2][4].

Exploitation

An attacker must supply a malicious serialized payload to be deserialized by a component that uses the raw-cpuid crate with the serialize feature enabled [2][4]. The attacker does not require special privileges or user interaction beyond delivering the payload through a legitimate deserialization path [2]. Once deserialized, the invalid data triggers undefined behavior or assertion failures [2].

Impact

Successful exploitation can lead to undefined behavior (specifically in as_string() methods, which internally call std::str::from_utf8_unchecked()) or panics due to failed assertions, resulting in memory corruption or denial-of-service [2][4]. The attack affects safety guarantees in safe Rust code, potentially compromising process integrity [2].

Mitigation

The vulnerability is patched in raw-cpuid version 9.1.1 and later [2][4]. Users should update to at least 9.1.1. If an immediate update is not possible, the serialize feature can be disabled (it is not enabled by default) to avoid the vulnerable code path [1][2]. Versions 3.1.0 and earlier are unaffected by this specific issue [2][4].