{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/thin-vec/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["thin-vec"],"_cs_severities":["high"],"_cs_tags":["use-after-free","double-free","memory-corruption","rust","thin-vec"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA double free/use-after-free vulnerability has been identified in the \u003ccode\u003ethin_vec\u003c/code\u003e crate, affecting versions prior to 0.2.16. The vulnerability resides in the \u003ccode\u003eIntoIter::drop\u003c/code\u003e and \u003ccode\u003eThinVec::clear\u003c/code\u003e implementations. The root cause is a failure to properly handle panics during element deallocation, leading to a double free when the container is dropped again during stack unwinding. This vulnerability can be triggered using safe Rust code, without requiring \u003ccode\u003eunsafe\u003c/code\u003e blocks. Miri and AddressSanitizer (ASAN) have confirmed the undefined behavior. Exploitation can lead to memory corruption and, when combined with \u003ccode\u003eBox\u0026lt;dyn Trait\u0026gt;\u003c/code\u003e types, potentially arbitrary code execution through heap spray and vtable hijacking. Defenders should be aware of the risk associated with using vulnerable versions of the \u003ccode\u003ethin_vec\u003c/code\u003e crate.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn application uses the \u003ccode\u003ethin_vec\u003c/code\u003e crate version prior to 0.2.16.\u003c/li\u003e\n\u003cli\u003eThe application creates a \u003ccode\u003eThinVec\u003c/code\u003e containing heap-owning types like \u003ccode\u003eString\u003c/code\u003e, \u003ccode\u003eVec\u003c/code\u003e, or \u003ccode\u003eBox\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEither \u003ccode\u003einto_iter()\u003c/code\u003e is called, and the iterator is dropped before complete consumption, or \u003ccode\u003eclear()\u003c/code\u003e is directly invoked on the \u003ccode\u003eThinVec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the deallocation of elements (either in \u003ccode\u003eIntoIter::drop\u003c/code\u003e or \u003ccode\u003eThinVec::clear\u003c/code\u003e), the \u003ccode\u003eDrop\u003c/code\u003e implementation of one of the elements triggers a panic.\u003c/li\u003e\n\u003cli\u003eDue to the panic, the \u003ccode\u003eset_len(0)\u003c/code\u003e function is not executed, leaving the \u003ccode\u003eThinVec\u003c/code\u003e with an incorrect length.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eThinVec\u003c/code\u003e is dropped again during stack unwinding (in the \u003ccode\u003eIntoIter::drop\u003c/code\u003e case) or when it goes out of scope (in the \u003ccode\u003eThinVec::clear\u003c/code\u003e case).\u003c/li\u003e\n\u003cli\u003eThe already-freed memory is freed again, resulting in a double free or use-after-free.\u003c/li\u003e\n\u003cli\u003eIf combined with \u003ccode\u003eBox\u0026lt;dyn Trait\u0026gt;\u003c/code\u003e types, an attacker might be able to reclaim the freed memory with a fake vtable via heap spraying, potentially leading to arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to memory corruption and denial of service. If the freed memory is reclaimed by an attacker, it could lead to arbitrary code execution, especially when combined with \u003ccode\u003eBox\u0026lt;dyn Trait\u0026gt;\u003c/code\u003e types. The vulnerability affects all code using the \u003ccode\u003ethin_vec\u003c/code\u003e crate prior to version 0.2.16. Successful exploitation requires specific conditions to be met, including the presence of heap-owning types in the \u003ccode\u003eThinVec\u003c/code\u003e and a panic occurring during the \u003ccode\u003eDrop\u003c/code\u003e implementation of an element.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ethin-vec\u003c/code\u003e crate to version 0.2.16 or later to remediate the vulnerability (\u003ca href=\"https://github.com/advisories/GHSA-xphw-cqx3-667j\"\u003ehttps://github.com/advisories/GHSA-xphw-cqx3-667j\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, carefully review the \u003ccode\u003eDrop\u003c/code\u003e implementations of types stored in \u003ccode\u003eThinVec\u003c/code\u003e to ensure they cannot panic.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected panics during the deallocation of \u003ccode\u003eThinVec\u003c/code\u003e elements.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-thin-vec-double-free/","summary":"A double free/use-after-free vulnerability exists in the `thin_vec` crate before version 0.2.16, specifically in the `IntoIter::drop` and `ThinVec::clear` implementations, which can be triggered via a panic during element deallocation, leading to memory corruption and potential arbitrary code execution.","title":"thin-vec Double Free / Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-thin-vec-double-free/"}],"language":"en","title":"CraftedSignal Threat Feed - Thin-Vec","version":"https://jsonfeed.org/version/1.1"}