PT-2021-24255 · Unknown · Derive-Com-Impl

Connicpu

Published

2021-01-20

Updated

2022-06-16

CVE-2021-45681

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: derive-com-impl crate versions prior to 0.1.2

Description: An issue in the derive-com-impl crate can cause an invalid reference and memory corruption because the AddRef method might not be called before returning a pointer. The QueryInterface method implementation is faulty, as it does not call IUnknown::AddRef before returning the pointer, which can lead to an invalid reference when IUnknown::Release is called. This is due to the reference count not being incremented as expected.

Recommendations: For versions prior to 0.1.2, the only way to quick fix this is to use the macro expanded version of the code and modify the QueryInterface method to add the AddRef call yourself.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2021-45681

GHSA-9RG7-3J4F-CF4X

GHSA-W4CC-PC2H-WHCJ

RUSTSEC-2021-0083

Affected Products

Derive-Com-Impl

PT-2021-24255 · Unknown · Derive-Com-Impl

CVE-2021-45681

Weakness Enumeration

Related Identifiers

Affected Products

References · 12