VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 24, 2023· Updated Feb 19, 2025

Versionize is lacking bound checks, potentially leading to out of bounds memory access

CVE-2023-28448

Description

Missing bounds check in Versionize's FamStructWrapper deserialization allows out-of-bounds memory access; fixed in 0.1.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing bounds check in Versionize's FamStructWrapper deserialization allows out-of-bounds memory access; fixed in 0.1.10.

The vulnerability resides in the Versionize::deserialize implementation for vmm_sys_utils::fam::FamStructWrapper in the versionize crate. The deserialization routine lacks a check to ensure that the length field in the serialized header matches the actual number of entries in the flexible array (FAM). An attacker can craft serialized data where the header length is artificially inflated, causing the deserialization to access memory beyond the allocated buffer [1][2].

The attack requires the ability to supply a malicious serialized payload to a process that uses versionize to deserialize FamStructWrapper objects. No special privileges are needed beyond the ability to provide input (e.g., via file read, network packet). The deserialization occurs without user interaction and can be triggered locally or remotely if the application deserializes untrusted data [2].

Successful exploitation leads to out-of-bounds memory reads or writes, which can cause information disclosure, memory corruption, or denial of service. The RustSec advisory rates this as a medium severity vulnerability (CVSS 5.7), noting potential impact on integrity and availability [2].

The issue was introduced in version 0.1.1 and corrected in version 0.1.10. The fix adds a check comparing the header length to the number of deserialized entries and aborts deserialization if they mismatch [3]. Users should update to version 0.1.10 or later.

References
  1. NVD - CVE-2023-28448
  2. deserialize` implementation for `FamStructWrapper<T>` is lacking bound checks, potentially leading to out of bounds memory accesses › RustSec Advisory Database
  3. Add missing bounds check to FamStructWrapper::deserialize · firecracker-microvm/versionize@a57a051

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
versionizecrates.io
>= 0.1.1, < 0.1.100.1.10

Affected products

2
  • ghsa-coords
    pkg:cargo/versionize
    Range: >= 0.1.1, < 0.1.10
  • firecracker-microvm/versionizev5
    Range: < 0.1.10

Patches

1
a57a051ba006

Add missing bounds check to FamStructWrapper::deserialize

https://github.com/firecracker-microvm/versionizePatrick RoyMar 13, 2023via ghsa
commit
2 files changed · +38 0
  • src/primitives.rs+12 0 modified
    @@ -369,6 +369,18 @@ where
         let entries: Vec<<T as FamStruct>::Entry> =
             Vec::deserialize(reader, version_map, app_version)
                 .map_err(|ref err| VersionizeError::Deserialize(format!("{:?}", err)))?;
+
+        if header.len() != entries.len() {
+            let msg = format!(
+                "Mismatch between length of FAM specified in FamStruct header ({}) \
+                and actual size of FAM ({})",
+                header.len(),
+                entries.len()
+            );
+
+            return Err(VersionizeError::Deserialize(msg));
+        }
+
         // Construct the object from the array items.
         // Header(T) fields will be initialized by Default trait impl.
         let mut object = FamStructWrapper::from_entries(&entries)
  • tests/test.rs+26 0 modified
    @@ -1323,6 +1323,32 @@ impl<T> Versionize for __IncompleteArrayField<T> {
 type MessageFamStructWrapper = FamStructWrapper<Message>;
 type Message2FamStructWrapper = FamStructWrapper<Message2>;
 
+#[test]
+fn test_deserialize_famstructwrapper_invalid_len() {
+    let mut vm = VersionMap::new();
+    vm.new_version()
+        .set_type_version(Message::type_id(), 2)
+        .new_version()
+        .set_type_version(Message::type_id(), 3)
+        .new_version()
+        .set_type_version(Message::type_id(), 4);
+
+    // Create FamStructWrapper with len 2
+    let state = MessageFamStructWrapper::new(0).unwrap();
+    let mut buffer = [0; 256];
+
+    state.serialize(&mut buffer.as_mut_slice(), &vm, 2).unwrap();
+
+    // the `len` field of the header is the first serialized field.
+    // Let's corrupt it by making it bigger than the actual number of serialized elements
+    buffer[0] = 255;
+
+    assert_eq!(
+        MessageFamStructWrapper::deserialize(&mut buffer.as_slice(), &vm, 2).unwrap_err(),
+        VersionizeError::Deserialize("Mismatch between length of FAM specified in FamStruct header (255) and actual size of FAM (0)".to_string())
+    );
+}
+
 #[test]
 fn test_versionize_famstructwrapper() {
     let mut vm = VersionMap::new();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.