CVE-2021-45719

Vulnerability

In the rusqlite crate for Rust, the update_hook function (under cfg(feature = "hooks")) registered a callback with an overly relaxed lifetime bound [2][4]. This allowed a closure that borrows stack-local data to be passed to update_hook, even though the closure could be invoked later by SQLite after the borrowed values have been dropped, leading to a use-after-free. The vulnerability affects versions 0.25.0 through 0.25.3 and 0.26.0 through 0.26.1 [2][4].

Exploitation

An attacker must provide a closure to update_hook that captures references to data on the stack, and then arrange for that stack data to go out of scope before the closure is called by SQLite [2][4]. This can occur when the closure is created in a function scope and the callback is invoked after the function returns [4]. The attacker does not need special network access or authentication; the exploitation depends on the program's control flow and the ability to trigger a database transaction that invokes the hook after the borrowed data is freed [2][4].

Impact

Successful exploitation results in a use-after-free memory corruption, which can lead to information disclosure, arbitrary code execution, or a program crash [2][4]. Since rusqlite is a low-level binding, the impact could be severe if the attacker controls the freed memory content [2].

Mitigation

Upgrade to rusqlite version 0.25.4 or 0.26.2, where the lifetime bounds were corrected [2][4]. If an immediate upgrade is not possible, avoid passing closures that borrow stack-local data to update_hook, and ensure that any captured data has a lifetime at least as long as the database connection [4]. No workaround exists that fully addresses the root cause without patching [2].