CVE-2021-45707

Vulnerability

An out-of-bounds write vulnerability exists in the nix::unistd::getgrouplist function of the Rust nix crate, affecting versions 0.16.0 and later before 0.20.2, 0.21.x before 0.21.2, and 0.22.x before 0.22.2 [1][3]. The function wraps the libc getgrouplist call with an in/out parameter ngroups indicating the buffer size. When the initial buffer (size 8) is too small, certain libc implementations (e.g., glibc) modify ngroups to the actual number of groups and return an error. However, the nix wrapper resizes the buffer to twice its size but does not update ngroups accordingly, so a subsequent call can write past the buffer end if the user has more than 16 groups (i.e., more than twice the initial buffer size) [3][4].

Exploitation

An attacker would need the ability to add a user to more than 16 groups in /etc/groups, which typically requires root or equivalent administrative privileges on the system [3][4]. The vulnerable code path is triggered by any application that calls nix::unistd::getgrouplist for a user with such a large group membership. No user interaction beyond this call is required; the out-of-bounds write occurs in the libc function's call within the nix wrapper.

Impact

Successful exploitation results in an out-of-bounds write, causing memory corruption [3][4]. This can lead to undefined behavior, including denial of service, data corruption, or potentially arbitrary code execution depending on the memory layout and system state. The compromise occurs at the privilege level of the process calling getgrouplist.

Mitigation

The issue is fixed in nix versions 0.20.2, 0.21.2, 0.22.2, and all later versions (>=0.23.0) [3][4]. Users should upgrade to one of these patched releases. No workaround is available for unpatched versions; the vulnerability is considered low severity because exploitation requires administrative access to group files. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog as of publication.