Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJ4cjQteDU1OC14N2h3

Critical EPSS: 0.00425% (0.61006 Percentile) EPSS:
Permalink JSON

Double free in smallvec

Affected Packages Affected Versions Fixed Versions
cargo:smallvec >= 0.3.2, < 0.6.3 0.6.3
1,616 Dependent packages
67,564 Dependent repositories
462,121,101 Downloads total

Affected Version Ranges

All affected versions

0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.3.1, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1

If an iterator passed to SmallVec::insert_many panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free (a destructor running on two copies of the same value).

This is fixed in smallvec 0.6.3 by ensuring that the vector's length is not updated to include moved items until they have been removed from their original positions. Items may now be leaked if Iterator::next panics, but they will not be dropped more than once.

References:

Identifiers

GHSA-rxr4-x558-x7hw

CVE-2018-20991

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00425

EPSS Percentile: 0.61006

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/servo/rust-smallvec

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON