CVE-2021-45717
Description
An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. commit_hook has a use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in rusqlite's commit_hook due to incorrect lifetime bounds on closures, affecting versions 0.25.x before 0.25.4 and 0.26.x before 0.26.2.
Vulnerability
A use-after-free vulnerability exists in the rusqlite crate for Rust, specifically in the commit_hook function under the hooks feature. The issue arises from incorrect lifetime bounds on closures passed to this function. If a closure referencing borrowed data on the stack is provided, it can allow access to that data after it has been dropped. Affected versions are 0.25.x before 0.25.4 and 0.26.x before 0.26.2 [2][4].
Exploitation
An attacker must be able to call Connection::commit_hook with a closure that captures borrowed references to stack-allocated data. When a commit operation occurs, the closure is invoked by SQLite after the borrowed data may have been deallocated, leading to a use-after-free condition. No special network position or authentication is required beyond the ability to execute Rust code using the vulnerable crate [2][4].
Impact
Successful exploitation results in memory corruption, which can lead to arbitrary code execution, information disclosure, or denial of service. The attacker gains the ability to read or write freed memory, potentially compromising the integrity and confidentiality of the application [2][4].
Mitigation
The vulnerability is fixed in versions 0.25.4 and 0.26.2 of the rusqlite crate. Users should upgrade to these or later versions. No workarounds are documented; the only mitigation is to update the dependency [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rusqlitecrates.io | >= 0.25.0, < 0.25.4 | 0.25.4 |
rusqlitecrates.io | >= 0.26.0, < 0.26.2 | 0.26.2 |
Affected products
2- rusqlite/rusqlitedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4qr3-m7ww-hh9gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45717ghsaADVISORY
- github.com/rusqlite/rusqlite/issues/1048ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0128.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.