CVE-2023-53156
Description
The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing checked multiplication in the Rust `transpose` crate ≤0.2.2 can cause an integer overflow, bypassing bounds checks and allowing out-of-bounds memory writes.
What the vulnerability is
The transpose crate for Rust provides utilities for transposing multi-dimensional data. In versions prior to 0.2.3, the functions transpose and transpose_inplace validated that the output slice length equals the product of input_width and input_height using a raw multiplication: input_width * input_height == output.len() [2]. Because the multiplication is performed using usize arithmetic, a sufficiently large input_width or input_height can cause an integer overflow, wrapping the product to a smaller value. This wrapped value may then pass the equality check even though the actual required buffer size is larger than output.len() [2]. This bug exists only in release builds, since debug mode arithmetic overflow causes a panic [2].
How it is exploited
An attacker who can control the input_width and input_height arguments passed to transpose or transpose_inplace can craft values that, when multiplied, overflow to match the size of a smaller output buffer. The functions expect the caller to provide correctly sized slices, but the overflow defeats that safety check. The unsafe internal function transpose_small will then write data past the end of the output buffer [2] [3]. The attack requires no special privileges beyond the ability to call the vulnerable API with attacker-controlled dimensions [2].
Impact
Successful exploitation leads to an out-of-bounds memory write on the heap or stack (depending on where the output slice is allocated). This memory corruption can cause a crash, data corruption, or potentially arbitrary code execution in the context of the calling process [2]. Applications that process untrusted input dimensions with the transpose crate are at risk.
Mitigation
The issue is fixed in transpose version 0.2.3 by using checked_mul in the assertion, causing a panic on overflow instead of silent wraparound [3]. The advisory (RUSTSEC-2023-0080) lists the patched version as >=0.2.3 [2]. Users should update the crate to the latest version promptly.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
transposecrates.io | >= 0.1.0, < 0.2.3 | 0.2.3 |
Affected products
2- ejmahler/transposev5Range: 0
Patches
1c4bcd39fabcaUse checked_mul instead of raw multiplication. Fixes #11
2 files changed · +3 −3
src/in_place.rs+1 −1 modified@@ -67,7 +67,7 @@ fn multiplicative_inverse(a: usize, n: usize) -> usize { /// /// Panics if `input.len() != input_width * input_height` or if `output.len() != input_width * input_height` pub fn transpose_inplace<T: Copy>(buffer: &mut [T], scratch: &mut [T], width: usize, height: usize) { - assert_eq!(width*height, buffer.len()); + assert_eq!(width.checked_mul(height), Some(buffer.len())); assert_eq!(core::cmp::max(width, height), scratch.len()); let gcd = StrengthReducedUsize::new(num_integer::gcd(width, height));
src/out_of_place.rs+2 −2 modified@@ -228,8 +228,8 @@ fn transpose_recursive<T: Copy>(input: &[T], output: &mut [T], row_start: usize, /// /// Panics if `input.len() != input_width * input_height` or if `output.len() != input_width * input_height` pub fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize) { - assert_eq!(input_width*input_height, input.len()); - assert_eq!(input_width*input_height, output.len()); + assert_eq!(input_width.checked_mul(input_height), Some(input.len())); + assert_eq!(input.len(), output.len()); if input.len() <= SMALL_LEN { unsafe { transpose_small(input, output, input_width, input_height) }; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5gmm-6m36-r7jhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-53156ghsaADVISORY
- github.com/ejmahler/transpose/commit/c4bcd39fabca9a31a401d0cc42d4090869b5a37aghsaWEB
- github.com/ejmahler/transpose/issues/11ghsaWEB
- rustsec.org/advisories/RUSTSEC-2023-0080.htmlghsaWEB
- crates.io/crates/transposemitre
News mentions
0No linked articles in our index yet.