Juhyung Son

**Name of the Vulnerable Software and Affected Versions** thin vec version 0.2.14 **Description** A Double-Free and Use-After-Free (UAF) issue exists in the `IntoIter::drop` and `ThinVec::clear` functions. The problem occurs when a panic is triggered during sequential element deallocation via the `ptr::drop in place()` function, which prevents the subsequent length cleanup code (`set len(0)`) from executing. During stack unwinding, the container is dropped again, leading to the re-freeing of already-freed memory. This can be triggered using safe Rust code. When combined with `Box<dyn Trait>` types, this can enable Arbitrary Code Execution (ACE) through heap spray and vtable hijacking, where an attacker-controlled fake vtable replaces a freed fat pointer slot to redirect execution. **Recommendations** For version 0.2.14, implement a DropGuard pattern by inserting an RAII guard before `ptr::drop in place()` to ensure `set len(0)` is called regardless of a panic, or adopt a pre-zeroing approach by setting the length to 0 before calling `ptr::drop in place()`. As a temporary workaround, avoid using the `ThinVec::clear` function or dropping `IntoIter` before it is fully consumed when storing types whose `Drop` implementation can panic.