Memory Safety Violation in Rust Zip Implementation by Rust Language
CVE-2021-28877

7.5HIGH

Key Information:

Vendor: Rust-lang
Status: Rust
Vendor: CVE Published:; 11 April 2021

What is CVE-2021-28877?

The implementation of the Zip functionality in the Rust standard library prior to version 1.51.0 contains a flaw where the __iterator_get_unchecked() method can be invoked multiple times for the same index during nested operations. This repetition can compromise memory safety, as it bypasses a critical safety requirement associated with the TrustedRandomAccess trait, leading to potential security risks.

References

https://github.com/rust-lang/rust/pull/80670

https://security.gentoo.org/glsa/202210-09

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2021
Vulnerability Reserved
Mar 19, 2021

Rust-lang

What is CVE-2021-28877?

References

CVSS V3.1

Timeline