Skip to content

Advisory: Use-After-Free in IntoIter::drop and ThinVec::clear (RUSTSEC-2026-0103 / CVE-2026-6654) #90

Description

@baima365-web

Advisory: Use-After-Free in thin-vec v0.2.15

Metadata

  • Repository: gankra/thin-vec
  • CWE: CWE-416 (Use After Free)
  • RUSTSEC: RUSTSEC-2026-0103 (CVE-2026-6654)
  • GHSA: GHSA-xphw-cqx3-667j
  • Component: IntoIter::drop, ThinVec::clear
  • Status: Patched in v0.2.16+

Description

thin-vec v0.2.15 contains a critical Use-After-Free vulnerability in both IntoIter::drop and ThinVec::clear implementations. When a panic occurs during element deallocation, the length cleanup code (set_len(0)) is never executed. During stack unwinding, the container is dropped again, causing already-freed memory to be re-freed (Double Free / UAF).

Impact

  • Confirmed via Miri and ASAN as Undefined Behavior
  • When combined with Box<dyn Trait> types, enables Arbitrary Code Execution (ACE) via heap spray and vtable hijacking
  • CVSS: High (A:H, C:L, I:L)

Vulnerability Details

Vulnerability 1: IntoIter::drop

When into_iter() is used and a panic occurs during sequential element deallocation, set_len_non_singleton(0) is never reached. During unwinding, the ThinVec is dropped again, re-freeing already-freed elements.

Vulnerability 2: ThinVec::clear

When clear() is called and a remaining element's Drop implementation panics, set_len(0) is never executed. Subsequent drop of the ThinVec causes double-free.

Remediation

Upgrade to thin-vec >= 0.2.16 which implements the DropGuard pattern to prevent double-free on panic.

References


Reported by: ForgeCore forgecore@lobster.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions