CVE-2021-45716
Description
An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_collation has a use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in rusqlite's `create_collation` function allows accessing stack data after it has been dropped.
Vulnerability
A use-after-free vulnerability exists in the rusqlite crate for Rust, specifically in the Connection::create_collation function. The issue is caused by overly relaxed lifetime bounds on closures passed to this function, allowing a closure that references borrowed stack data to be invoked by SQLite after that data has been deallocated. The affected versions are 0.25.x before 0.25.4 and 0.26.x before 0.26.2. The function is available when the collation feature is enabled [1], [2], [4].
Exploitation
An attacker would need to craft a Rust program or library that calls create_collation with a closure capturing references to stack-allocated variables. When SQLite invokes the collation callback at a later point, the stack memory may have been freed and reused, leading to a use-after-free. No special network position or authentication is required beyond the ability to execute the vulnerable code path [2], [4].
Impact
Successful exploitation results in memory corruption, potentially allowing an attacker to read or write arbitrary memory locations. This could lead to information disclosure, denial of service, or in some cases arbitrary code execution, depending on the memory layout and how the dangling pointer is used [2], [4].
Mitigation
The vulnerability is fixed in rusqlite versions 0.25.4 and 0.26.2, released on December 9, 2021. Users should update to these patched versions. Versions prior to 0.25.0 are not affected. No workaround is available other than updating [2], [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rusqlitecrates.io | >= 0.25.0, < 0.25.4 | 0.25.4 |
rusqlitecrates.io | >= 0.26.0, < 0.26.2 | 0.26.2 |
Affected products
2- rusqlite/rusqlitedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cm8g-544f-p9x9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45716ghsaADVISORY
- github.com/rusqlite/rusqlite/issues/1048ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0128.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.