{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/smallbitvec--1.0.1--2.6.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["smallbitvec (\u003e= 1.0.1, \u003c= 2.6.0)"],"_cs_severities":["high"],"_cs_tags":["integer-overflow","heap-buffer-overflow","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eThe \u003ccode\u003esmallbitvec\u003c/code\u003e crate in Rust versions 1.0.1 through 2.6.0 is vulnerable to an integer overflow within the internal capacity calculation, specifically in the \u003ccode\u003ebuffer_len\u003c/code\u003e function. This function computes the required buffer size based on the provided capacity (\u003ccode\u003ecap\u003c/code\u003e). When \u003ccode\u003ecap\u003c/code\u003e approaches \u003ccode\u003eusize::MAX\u003c/code\u003e, the addition \u003ccode\u003ecap + bits_per_storage() - 1\u003c/code\u003e can overflow in release builds, resulting in a wraparound due to Rust’s default wrapping semantics for integer overflow in optimized builds. This overflow leads to an undersized heap allocation. Subsequent safe API calls like \u003ccode\u003eset\u003c/code\u003e, \u003ccode\u003epush\u003c/code\u003e, and \u003ccode\u003ereserve\u003c/code\u003e rely on this corrupted metadata, leading to out-of-bounds memory access and heap buffer overflows. This vulnerability allows memory corruption without requiring the use of \u003ccode\u003eunsafe\u003c/code\u003e code by the caller.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA \u003ccode\u003eSmallBitVec\u003c/code\u003e is instantiated using a large capacity (e.g., \u003ccode\u003eusize::MAX\u003c/code\u003e in \u003ccode\u003efrom_elem\u003c/code\u003e or a large value passed to \u003ccode\u003ereserve\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebuffer_len(cap)\u003c/code\u003e function is called internally to calculate the required buffer size.\u003c/li\u003e\n\u003cli\u003eThe addition within \u003ccode\u003ebuffer_len(cap)\u003c/code\u003e overflows, resulting in a smaller-than-expected value.\u003c/li\u003e\n\u003cli\u003eThe backing storage is allocated based on the overflowed, smaller size.\u003c/li\u003e\n\u003cli\u003eInternal metadata (logical length/capacity) is set based on the original, large capacity value, creating a mismatch between metadata and actual buffer size.\u003c/li\u003e\n\u003cli\u003eA safe API call (e.g., \u003ccode\u003eset\u003c/code\u003e, \u003ccode\u003epush\u003c/code\u003e, \u003ccode\u003ereserve\u003c/code\u003e) is invoked, using the corrupted metadata for index calculations.\u003c/li\u003e\n\u003cli\u003eThe index calculation assumes sufficient backing storage based on the logical length/capacity, which is incorrect.\u003c/li\u003e\n\u003cli\u003eThe operation reaches unsafe internal code paths, leading to out-of-bounds memory access and a heap buffer overflow, resulting in undefined behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a heap buffer overflow, potentially leading to arbitrary code execution. The vulnerability is detectable with tools like ASAN (AddressSanitizer) and Miri. While the exact number of affected projects is unknown, any project using vulnerable versions of the \u003ccode\u003esmallbitvec\u003c/code\u003e crate is susceptible to this vulnerability. This issue allows for memory corruption and could compromise the integrity and security of applications utilizing the affected crate.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003esmallbitvec\u003c/code\u003e crate to a version greater than 2.6.0 to remediate CVE-2026-44983.\u003c/li\u003e\n\u003cli\u003eImplement runtime checks on capacity values before allocating memory to prevent integer overflows.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect \u003ccode\u003esmallbitvec\u003c/code\u003e Integer Overflow via Large Capacity\u0026rdquo; to detect attempts to trigger the vulnerability through excessively large capacity values in \u003ccode\u003eSmallBitVec\u003c/code\u003e instantiation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-smallbitvec-overflow/","summary":"An integer overflow in the `smallbitvec` crate leads to an undersized heap allocation, enabling heap buffer overflows through safe APIs, affecting versions 1.0.1 through 2.6.0.","title":"smallbitvec Integer Overflow Leads to Heap Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2024-01-23-smallbitvec-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Smallbitvec (\u003e= 1.0.1, \u003c= 2.6.0)","version":"https://jsonfeed.org/version/1.1"}