CVE-2021-45718

Vulnerability

The rollback_hook function in the rusqlite crate for Rust (versions 0.25.x before 0.25.4 and 0.26.x before 0.26.2) has a use-after-free vulnerability. This issue arises because the lifetime bounds on closures passed to rollback_hook (and other similar hook functions) were too relaxed. If a closure referencing borrowed values on the stack is passed, it may allow access to objects on the stack after they have been dropped. This affects functions under the hooks feature, including commit_hook, rollback_hook, and update_hook, as well as functions under functions and collation features [1][2][4].

Exploitation

An attacker would need to craft a closure that references borrowed stack values and pass it to rollback_hook. When the closure is later invoked by SQLite, it may access memory that has already been freed, leading to a use-after-free condition. The attack requires the user to enable the hooks feature (or other impacted features) and trigger the callback after the referenced data is dropped. No authentication or network position is required as this is a library-level vulnerability exploitable through crafted application code [2][4].

Impact

Successful exploitation can lead to memory corruption, potentially allowing an attacker to read or write freed memory, causing undefined behavior, crashes, or in some cases arbitrary code execution. The impact depends on the specific usage context, but it compromises memory safety guarantees provided by Rust [2].

Mitigation

The vulnerability is fixed in rusqlite versions 0.25.4 and 0.26.2 [2][4]. Users should update to these or later versions. No workarounds are documented in the provided references. There is no evidence that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.