CVE-2021-26307

Name of the Vulnerable Software and Affected Versions raw-cpuid crate versions prior to 9.0.0

Description The issue allows cpuid count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash. Additionally, there is undefined behavior in as string() methods, including VendorInfo::as string(), SoCVendorBrand::as string(), and ExtendedFunctionInfo::processor brand string(), due to the use of std::slice::from raw parts() with data from #[repr(Rust)] structs. The native cpuid::cpuid count() function exposes an unsafe intrinsic without checking the safety requirement that the CPU supports the function being called.

Recommendations For raw-cpuid crate versions prior to 9.0.0, update to version 9.0.0 or later to fix the issue. As a temporary workaround, consider avoiding the use of cpuid count() calls and the as string() methods until the update is applied. Restrict access to the native cpuid::cpuid count() function to minimize the risk of exploitation.