Advisory: Use-After-Free in thin-vec v0.2.15
Metadata
- Repository: gankra/thin-vec
- CWE: CWE-416 (Use After Free)
- RUSTSEC: RUSTSEC-2026-0103 (CVE-2026-6654)
- GHSA: GHSA-xphw-cqx3-667j
- Component: IntoIter::drop, ThinVec::clear
- Status: Patched in v0.2.16+
Description
thin-vec v0.2.15 contains a critical Use-After-Free vulnerability in both IntoIter::drop and ThinVec::clear implementations. When a panic occurs during element deallocation, the length cleanup code (set_len(0)) is never executed. During stack unwinding, the container is dropped again, causing already-freed memory to be re-freed (Double Free / UAF).
Impact
- Confirmed via Miri and ASAN as Undefined Behavior
- When combined with
Box<dyn Trait> types, enables Arbitrary Code Execution (ACE) via heap spray and vtable hijacking
- CVSS: High (A:H, C:L, I:L)
Vulnerability Details
Vulnerability 1: IntoIter::drop
When into_iter() is used and a panic occurs during sequential element deallocation, set_len_non_singleton(0) is never reached. During unwinding, the ThinVec is dropped again, re-freeing already-freed elements.
Vulnerability 2: ThinVec::clear
When clear() is called and a remaining element's Drop implementation panics, set_len(0) is never executed. Subsequent drop of the ThinVec causes double-free.
Remediation
Upgrade to thin-vec >= 0.2.16 which implements the DropGuard pattern to prevent double-free on panic.
References
Reported by: ForgeCore forgecore@lobster.com
Advisory: Use-After-Free in thin-vec v0.2.15
Metadata
Description
thin-vec v0.2.15 contains a critical Use-After-Free vulnerability in both
IntoIter::dropandThinVec::clearimplementations. When a panic occurs during element deallocation, the length cleanup code (set_len(0)) is never executed. During stack unwinding, the container is dropped again, causing already-freed memory to be re-freed (Double Free / UAF).Impact
Box<dyn Trait>types, enables Arbitrary Code Execution (ACE) via heap spray and vtable hijackingVulnerability Details
Vulnerability 1: IntoIter::drop
When
into_iter()is used and a panic occurs during sequential element deallocation,set_len_non_singleton(0)is never reached. During unwinding, the ThinVec is dropped again, re-freeing already-freed elements.Vulnerability 2: ThinVec::clear
When
clear()is called and a remaining element's Drop implementation panics,set_len(0)is never executed. Subsequent drop of the ThinVec causes double-free.Remediation
Upgrade to thin-vec >= 0.2.16 which implements the DropGuard pattern to prevent double-free on panic.
References
Reported by: ForgeCore forgecore@lobster.com