Medium severity5.1NVD Advisory· Published Apr 20, 2026· Updated May 12, 2026

CVE-2026-6654

Description

Double-Free / Use-After-Free (UAF) in the IntoIter::drop and ThinVec::clear functions in the thin_vec crate. A panic in ptr::drop_in_place skips setting the length to zero.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
thin-veccrates.io	< 0.2.16	0.2.16

Affected products

Mozilla Corporation/Thin Vecinferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667jnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-xphw-cqx3-667jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6654ghsaADVISORY
rustsec.org/advisories/RUSTSEC-2026-0103.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.332
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000