CVE-2021-45714
Description
An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_aggregate_function has a use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in rusqlite's `create_aggregate_function` (and other callback-registering functions) due to incorrect lifetime bounds allows accessing stack memory after it has been freed.
Vulnerability
A use-after-free vulnerability exists in the rusqlite crate for Rust, affecting versions 0.25.0 through 0.25.3 and 0.26.0 through 0.26.1 [1][2]. The issue occurs in the function create_aggregate_function (and related callback-registering functions such as create_scalar_function, create_window_function, create_collation, commit_hook, rollback_hook, and update_hook) under the corresponding cfg feature flags [2][4]. An incorrect lifetime bound on the closure parameter allows a closure referencing borrowed values on the stack to be passed to these functions. When SQLite later invokes the callback after the stack frame has been dropped, the closure may attempt to access memory that has already been freed [2][4].
Exploitation
An attacker does not require network access or special privileges beyond the ability to supply Rust code that uses the affected rusqlite API. The attacker must craft a closure that captures borrowed references to stack variables. By passing this closure to one of the impacted functions (e.g., create_aggregate_function), the closure’s lifetime bound is incorrectly relaxed, allowing the closure to outlive the data it references. When SQLite triggers the callback after the borrowed data has been dropped, the closure accesses freed memory, leading to undefined behavior [2][4]. This is a memory corruption vulnerability exploitable through crafted Rust source code.
Impact
Successful exploitation results in a use-after-free condition, which can lead to memory corruption, information disclosure, or arbitrary code execution depending on the attacker's control over the freed memory. The Rust compiler’s safety guarantees are bypassed, potentially allowing safe Rust code to trigger undefined behavior. The CIA impact is high because an attacker can read sensitive data, corrupt program state, or execute arbitrary code in the context of the affected application [2][4].
Mitigation
The vulnerability is fixed in rusqlite versions 0.25.4 and 0.26.2 [2][4]. Users should upgrade to the patched versions (0.25.4 or 0.26.2 or later) as soon as possible. For users of versions prior to 0.25.0, the advisory indicates the vulnerability is not present [2][4]. No known workarounds exist for affected versions. The advisory was published on 2021-12-09 and is also tracked under multiple GHSA identifiers [2]. There is no indication that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rusqlitecrates.io | >= 0.25.0, < 0.25.4 | 0.25.4 |
rusqlitecrates.io | >= 0.26.0, < 0.26.2 | 0.26.2 |
Affected products
2- rust/rusqlitedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-f6f2-3w33-54r9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45714ghsaADVISORY
- github.com/rusqlite/rusqlite/issues/1048ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0128.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.