CVE-2021-45720
Description
The lru crate before 0.7.1 for Rust has a use-after-free in its iterators when calling pop() during iteration, leading to potential memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The lru crate before 0.7.1 for Rust has a use-after-free in its iterators when calling pop() during iteration, leading to potential memory corruption.
Vulnerability
The lru crate (versions before 0.7.1) for Rust contains a use-after-free vulnerability in its iter() and iter_mut() methods. When a caller holds a reference obtained from the iterator and then calls pop() on the cache, the value is freed, but the reference remains accessible, leading to a use-after-free condition [1][2][3].
Exploitation
An attacker can trigger this by writing code that iterates over the cache and calls pop() on the current key while still holding the reference to the value. No special network position or authentication is required; the vulnerability is exploitable locally by any Rust program using the affected crate. The provided proof-of-concept demonstrates a segmentation fault [1].
Impact
Successful exploitation results in reading freed memory, which can lead to information disclosure or potentially arbitrary code execution depending on the memory layout. The RustSec advisory categorizes this as memory corruption [3].
Mitigation
The vulnerability is fixed in lru version 0.7.1 and later [3]. Users should update to at least 0.7.1. No workaround is available; the only mitigation is to upgrade.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lrucrates.io | < 0.7.1 | 0.7.1 |
Affected products
2- lru/lrudescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-v362-2895-h9r2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45720ghsaADVISORY
- github.com/jeromefroe/lru-rs/issues/120ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/lru/RUSTSEC-2021-0130.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0130.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.