PT-2021-16992 · Crates.Io · Cdr

Published

2021-01-02

Updated

2021-08-25

CVE-2021-26305

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions cdr crate versions prior to 0.2.4

Description An issue was discovered in Deserializer::read vec in the cdr crate for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness. The Deserializer::read vec() function created an uninitialized buffer and passed it to a user-provided Read implementation, which is defined as undefined behavior in Rust.

Recommendations For versions prior to 0.2.4, update to version 0.2.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Deserializer::read vec() until a patch is available. Restrict access to the Read implementation to minimize the risk of exploitation.

Exploit

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908

Related Identifiers

CVE-2021-26305

GHSA-37JJ-WP7G-7WJ4

RUSTSEC-2021-0012

Affected Products

Cdr

PT-2021-16992 · Crates.Io · Cdr

CVE-2021-26305

Weakness Enumeration

Related Identifiers

Affected Products

References · 12