CVE-2021-45715
Description
An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_window_function has a use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in rusqlite's create_window_function due to incorrect lifetime bounds on closures, affecting versions before 0.25.4 and 0.26.2.
Vulnerability
A use-after-free vulnerability exists in the rusqlite crate for Rust, specifically in the create_window_function method (and other callback-registering functions) when the functions feature is enabled. The issue arises from incorrect lifetime bounds on closures passed to these functions, allowing a closure that references borrowed stack data to be invoked after the data has been dropped. Affected versions are 0.25.0 through 0.25.3 and 0.26.0 through 0.26.1 [2][4].
Exploitation
An attacker must convince a user to call create_window_function (or similar functions like create_scalar_function, create_aggregate_function) with a closure that captures borrowed values from the stack. If the closure is later invoked by SQLite after those stack frames have been deallocated, accessing the captured data results in undefined behavior, including use-after-free. The attack requires the user to compile and run code using the vulnerable crate under the affected version range [2][4].
Impact
Successful exploitation leads to memory corruption, which can cause a crash or, in worst case, arbitrary code execution. The vulnerability is classified as memory corruption and can compromise the confidentiality, integrity, and availability of the application [2][4].
Mitigation
Users should upgrade to rusqlite version 0.26.2 or 0.25.4, which contain the fix for this issue. Alternatively, restrict use of the functions feature if upgrading is not immediately possible. No workaround other than patching is known [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rusqlitecrates.io | >= 0.25.0, < 0.25.4 | 0.25.4 |
rusqlitecrates.io | >= 0.26.0, < 0.26.2 | 0.26.2 |
Affected products
2- rust/rusqlitedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-87xh-9q6h-r5ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45715ghsaADVISORY
- github.com/rusqlite/rusqlite/issues/1048ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0128.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.