PT-2026-39309 · Crates.Io · Smallbitvec
PoC 1: Out-of-bounds write via
PoC 2: Overflow via
Published
2026-05-09
·
Updated
2026-05-09
·
CVE-2026-44983
CVSS v3.1
7.3
High
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
Summary
An integer overflow in the internal capacity calculation of
smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller.Details
The issue originates from unchecked arithmetic in the internal helper function responsible for computing the required buffer size:
(cap + bits per storage() - 1) / bits per storage()When
cap is close to usize::MAX, the addition:cap + bits per storage() - 1can overflow in release builds and wrap around due to Rust’s default wrapping semantics for integer overflow in optimized builds.
As a result:
buffer len(cap)may return a value significantly smaller than required.- The backing storage is allocated with insufficient size.
- Internal metadata (logical length/capacity) reflects a much larger size than the actual allocation.
Subsequent safe API calls (e.g.,
set, push, reserve) rely on this corrupted metadata and perform index computations that assume sufficient backing storage. These operations eventually reach unsafe internal code paths (e.g., pointer arithmetic and unchecked indexing), leading to out-of-bounds memory access.Summary of the issue:
integer overflow
→ undersized allocation
→ inconsistent metadata (len/cap vs actual buffer)
→ unsafe internal access using corrupted metadata
→ heap buffer overflow (UB)
PoC
PoC 1: Out-of-bounds write via from elem
#![forbid(unsafe code)]
use smallbitvec::SmallBitVec;
fn main() {
// Triggers overflow in buffer len(cap)
let mut v = SmallBitVec::from elem(usize::MAX, false);
// Logical length is large, but backing storage is undersized
// This leads to out-of-bounds write in unsafe internals
v.set(0, true);
}PoC 2: Overflow via reserve
#![forbid(unsafe code)]
use smallbitvec::SmallBitVec;
fn main() {
let mut v = SmallBitVec::new();
v.push(true);
// Triggers overflow in capacity computation
v.reserve(usize::MAX - 10);
}Impact
- Heap buffer overflow via safe API only
- ASAN-observable heap-buffer-overflow
- Undefined Behavior detectable with Miri (e.g., out-of-bounds indexing due to corrupted metadata)
Tested on
- rustc 1.96.0-nightly (9602bda1d 2026-04-05)
- Target: x86 64-unknown-linux-gnu
- Build: release
- ASAN:
RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release - Miri:
cargo +nightly miri run --release
Fix
Heap Based Buffer Overflow
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Smallbitvec