CVE-2023-50711

Name of the Vulnerable Software and Affected Versions vmm-sys-util versions 0.5.0 through 0.12.0

Description The issue is related to the FamStructWrapper::deserialize implementation, which can lead to out of bounds memory accesses due to a mismatch between the length stored in the header and the flexible array length. This can allow out of bounds memory access through Rust-safe methods. The issue was corrected in version 0.12.0 by inserting a check that verifies the lengths of compared flexible arrays are equal for any deserialized header and aborting deserialization otherwise. Moreover, the API was changed so that header length can only be modified through Rust-unsafe code.

Recommendations For versions 0.5.0 through 0.11.0, update to version 0.12.0 to resolve the issue. As a temporary workaround, consider restricting access to the FamStructWrapper::deserialize function until a patch is available. Avoid using the FamStructWrapper::deserialize function in Rust-safe code to minimize the risk of exploitation.