CVE-2026-6654

Name of the Vulnerable Software and Affected Versions thin vec version 0.2.14

Description A Double-Free and Use-After-Free (UAF) issue exists in the IntoIter::drop and ThinVec::clear functions. The problem occurs when a panic is triggered during sequential element deallocation via the ptr::drop in place() function, which prevents the subsequent length cleanup code (set len(0)) from executing. During stack unwinding, the container is dropped again, leading to the re-freeing of already-freed memory. This can be triggered using safe Rust code. When combined with Box<dyn Trait> types, this can enable Arbitrary Code Execution (ACE) through heap spray and vtable hijacking, where an attacker-controlled fake vtable replaces a freed fat pointer slot to redirect execution.

Recommendations For version 0.2.14, implement a DropGuard pattern by inserting an RAII guard before ptr::drop in place() to ensure set len(0) is called regardless of a panic, or adopt a pre-zeroing approach by setting the length to 0 before calling ptr::drop in place(). As a temporary workaround, avoid using the ThinVec::clear function or dropping IntoIter before it is fully consumed when storing types whose Drop implementation can panic.