CVE-2021-45716

Name of the Vulnerable Software and Affected Versions: rusqlite versions 0.25.0 through 0.25.3 rusqlite versions 0.26.0 through 0.26.1

Description: The issue exists in the rusqlite crate for Rust, where several closure-accepting functions have a too relaxed lifetime bound, allowing Rust code to access objects on the stack after they have been dropped. The impacted functions include Connection::create scalar function, Connection::create aggregate function, Connection::create window function, Connection::commit hook, Connection::rollback hook, Connection::update hook, and Connection::create collation.

Recommendations: For rusqlite versions 0.25.0 through 0.25.3, upgrade to version 0.25.4 or newer. For rusqlite versions 0.26.0 through 0.26.1, upgrade to version 0.26.2 or newer. As a temporary workaround, consider disabling the use of the impacted functions until a patch is available. Restrict access to the vulnerable functions to minimize the risk of exploitation.