This is a list of CVEs for unsound APIs in the Rust standard library.
These bugs break Rust's memory safety guarantee
and lead to security issues when triggered.
Fortunately, they are context-sensitive library APIs
that are not usually used in a way that the bugs can be triggered.
Many of them require very specific interaction to trigger
(e.g., partially consume an iterator and zip() it with another iterator)
that is not likely to appear in their daily usage.
Yet, we can't say for sure that there is no code out there using these APIs in a bug-triggering way. Moreover, certain applications such as TockOS and RedLeaf that use Rust's type system as an isolation mechanism can be easily attacked with these bugs. Hence, it is important to signal the existence of these bugs, and I found that issuing a CVE number and creating a RustSec advisory is the most effective way to do so.
†: Reported by me ‡: Reported as part of Rudra project
| CVE | Issue # | Title | Affected | RustSec |
|---|---|---|---|---|
| CVE-2015-20001 | 25842 | Panic safety violation in BinaryHeap | >= 1.0.0, < 1.2.0 | link |
| CVE-2017-20004 | 41622 | MutexGuard<Cell<i32>> must not be Sync | >= 1.0.0, < 1.19.0 | link |
| CVE-2018-1000657 | 44800 | Buffer overflow vulnerability in VecDeque::reserve() | >= 1.3.0, < 1.22.0 | link |
| CVE-2018-1000810 | 54399 | Buffer overflow vulnerability in str::repeat() | >= 1.26.0, < 1.29.1 | link |
| CVE-2018-25008 | 51780 | Insufficient synchronization in Arc::get_mut |
>= 1.3.0, < 1.29.0 | link |
| CVE-2019-1010299 | 53566 | vec_deque::Iter has unsound Debug implementation | >= 1.18.0, < 1.30.0 | link |
| CVE-2019-12083 | 60787 | Memory safety vulnerabilities arising from Error::type_id |
>= 1.34.0, < 1.34.2 | link |
| CVE-2020-36317 | 78498 | String::retain allows safely creating invalid strings when abusing panic | >= 1.26.0, < 1.49.0 | link |
| CVE-2020-36318 | 79808 | VecDeque::make_contiguous may duplicate the contained elements | >= 1.48.0, < 1.49.0 | link |
| CVE-2020-36323 | 80335‡ | API soundness issue in join() implementation of [Borrow<str>] | >= 1.28.0, < 1.52.0 | link |
| CVE-2021-28875 | 80894‡ | Logic bug in Read can cause buffer overflow in read_to_end() | >= 1.20.0, < 1.50.0 | link |
| CVE-2021-28876 | 81740† | Panic safety issue in Zip specialization | >= 1.14.0, < 1.52.0 | link |
| CVE-2021-28877 | 80670 | TrustedRandomAaccess specialization composes incorrectly for nested iter::Zips | >= 1.11.0, < 1.51.0 | link |
| CVE-2021-28878 | 82291 | Zip may call __iterator_get_unchecked twice with the same index | >= 1.14.0, < 1.52.0 | link |
| CVE-2021-28879 | 82282† | Zip can cause buffer overflow when a consumed Zip iterator is used again | >= 1.14.0, < 1.52.0 | link |
| CVE-2021-31162 | 83618† | Double free in Vec::from_iter specialization when drop panics | >= 1.48.0, < 1.52.0 | link |
These are soundness bugs that I plan to apply CVE IDs for. Note that I focus on soundness bugs that arise from misuse of unsafe Rust code in the standard library, so certain soundness bugs are not included in this list such as type-system bugs (e.g., #25860) or environmental bugs (e.g., #81996). I'll still update the CVE list above if such bug get assigned a CVE ID.
| Issue # | Title | Affected | CVE ID Requested |
|---|---|---|---|
| 81138 | String::replace_range is unsound | TODO | No |
| 85322 | The implementation of InPlaceIterable for Peekable is unsound |
TODO | No |
| 85613† | Double free in Vec::dedup_by when T's drop panics | TODO | No |
| 85813 | Unsound Debug impl for collections::linked_list::IterMut | TODO | No |
| 85873 | TrustedRandomAccess optimization for Zip containing vec::IntoIter is unsound | TODO | No |
| 86443† | Panic safety issue in Zip::next_back() TrustedRandomAccess specialization |
TODO | No |