PT-2020-17494 · Rust · Bitvec

Published

2020-03-27

Updated

2021-08-25

CVE-2020-35862

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions bitvec crate versions prior to 0.17.4

Description The issue arises from the conversion of BitVec to BitBox, which can lead to a use-after-free or double free. This occurs because the conversion did not account for allocation movement, using the original base address instead of the address after resizing.

Recommendations For versions prior to 0.17.4, update to version 0.17.4 or later to resolve the issue. As a temporary workaround, consider avoiding the conversion of BitVec to BitBox until the update is applied.

Exploit

Fix

Double Free

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-415CWE-416

Related Identifiers

CVE-2020-35862

GHSA-7CJC-HVXF-GQH7

RUSTSEC-2020-0007

Affected Products

Bitvec

PT-2020-17494 · Rust · Bitvec

CVE-2020-35862

Weakness Enumeration

Related Identifiers

Affected Products

References · 9