CVE Daily
← All tags

Tag: Rust

All CVEs associated with "Rust". Page 3/6 • 672 CVEs.

Subscribe CVEs: RSS for “Rust”  ·  RSS (High+Critical only)

About “Rust”

A curated feed of “Rust”-related CVEs appears below. We currently track 672 CVEs for this tag (all time). In the last 365 days, 163 were published. Average CVSS is 7.4 (all time; 6.8 over 365d), and 67% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-20 - Improper Input Validation, CWE-190 - Integer Overflow or Wraparound, CWE-770 - Allocation of Resources Without Limits or Throttling.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-03-15
High

CVE-2024-28854

tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes,…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-03-06
High

CVE-2024-27308

Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from…

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
2024-02-29
High

CVE-2024-27284

cassandra-rs is a Cassandra (CQL) driver for Rust. Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed mem…

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
2024-02-13
Medium

CVE-2024-21491

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker c…

CVSS: 5.9 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-01-24
Medium

CVE-2024-23644

Trillium is a composable toolkit for building internet applications with async rust. In `trillium-http` prior to 0.3.12 and `trillium-client` prior to 0.5.4, insufficient validation of outbound heade…

CVSS: 6.8 CWE: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') View on NVD
2024-01-02
Medium

CVE-2024-21629

Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a feature called `record_external_operation` was introduced, allowing library users to record custom gas changes. This feature can…

CVSS: 5.9 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
Medium

CVE-2023-50711

vmm-sys-util is a collection of modules that provides helpers and utilities used by multiple rust-vmm components. Starting in version 0.5.0 and prior to version 0.12.0, an issue in the `FamStructWrap…

CVSS: 5.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-12-18
Medium

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2023-12-08
High

CVE-2023-6245

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For example, if the payload is `record { * ; empty }` and the canister interface expe…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2023-11-28
Medium

CVE-2023-49092

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable ove…

CVSS: 5.9 CWE: CWE-385 - Covert Timing Channel View on NVD
2023-10-25
Medium

CVE-2023-46135

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.`inner_payload_len` should not above 64. This vulnerability…

CVSS: 5.3 CWE: CWE-248 - Uncaught Exception View on NVD
2023-10-18
High

CVE-2023-45812

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS…

CVSS: 7.5 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2023-09-22
Medium

CVE-2023-42811

aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e…

CVSS: 4.7 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2023-09-21
High

CVE-2023-43669

The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The len…

CVSS: 7.5 CWE: N/A View on NVD
2023-09-19
High

CVE-2023-42447

blurhash-rs is a pure Rust implementation of Blurhash, software for encoding images into ASCII strings that can be turned into a gradient of colors representing the original image. In version 0.1.1,…

CVSS: 8.6 CWE: CWE-248 - Uncaught Exception View on NVD
High

CVE-2023-42444

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic…

CVSS: 8.6 CWE: CWE-248 - Uncaught Exception View on NVD
2023-09-05
High

CVE-2023-41317

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (D…

CVSS: 7.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2023-09-01
Low

CVE-2023-41051

In a typical Virtual Machine Monitor (VMM) there are several components, such as boot loader, virtual device drivers, virtio backend drivers and vhost drivers, that need to access the VM physical mem…

CVSS: 2.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2023-08-24
Medium

CVE-2023-40030

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-08-04
High

CVE-2023-38497

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate arc…

CVSS: 7.9 CWE: CWE-278 - Insecure Preserved Inherited Permissions View on NVD
2023-08-03
Medium

CVE-2023-3766

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data rece…

CVSS: 5.9 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2023-07-18
Medium

CVE-2021-32256

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.

CVSS: 6.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-06-21
High

CVE-2023-33289

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of…

CVSS: 7.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
2023-06-14
Medium

CVE-2023-34449

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value…

CVSS: 5.3 CWE: CWE-253 - Incorrect Check of Function Return Value View on NVD
2023-06-12
High

CVE-2023-33290

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).

CVSS: 7.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
2023-06-05
High

CVE-2023-34411

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2023-05-27
High

CVE-2023-33192

ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially cr…

CVSS: 7.5 CWE: CWE-130 - Improper Handling of Length Parameter Inconsistency View on NVD
2023-04-27
Low

CVE-2023-30624

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level…

CVSS: 3.9 CWE: CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior View on NVD
2023-04-19
Medium

CVE-2023-30610

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-03-28
Medium

CVE-2023-28631

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document…

CVSS: 5.3 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
Medium

CVE-2023-28626

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A range of quadratic parsing issues are present in Comrak. These can be used to craft denial-of-service attacks o…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-03-24
Medium

CVE-2023-28448

Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. An issue was…

CVSS: 5.7 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2023-28446

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear t…

CVSS: 8.8 CWE: CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences View on NVD
Critical

CVE-2023-28445

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could resu…

CVSS: 9.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
2023-03-16
Medium

CVE-2023-28113

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared sec…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2023-01-17
High

CVE-2023-22499

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that pro…

CVSS: 7.5 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2023-01-13
Critical

CVE-2022-45299

An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-01-11
Medium

CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo…

CVSS: 5.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2023-01-10
High

CVE-2023-22895

The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crate…

CVSS: 7.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2023-01-04
Medium

CVE-2023-22466

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode`…

CVSS: 5.4 CWE: CWE-665 - Improper Initialization View on NVD
2022-12-07
High

CVE-2022-23486

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memor…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-11-30
Medium

CVE-2022-46149

Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementatio…

CVSS: 5.4 CWE: CWE-125 - Out-of-bounds Read View on NVD
2022-11-22
Medium

CVE-2022-39397

aliyun-oss-client is a rust client for Alibaba Cloud OSS. Users of this library will be affected, the incoming secret will be disclosed unintentionally. This issue has been patched in version 0.8.1.

CVSS: 5.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-10-31
High

CVE-2022-39294

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](ht…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-10-25
Medium

CVE-2022-39354

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static conte…

CVSS: 5.9 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
2022-09-29
High

CVE-2022-39252

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from thei…

CVSS: 8.6 CWE: CWE-287 - Improper Authentication View on NVD
2022-09-14
Medium

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternat…

CVSS: 4.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2022-36113

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it…

CVSS: 4.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-08-09
High

CVE-2022-36125

It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs).…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2022-36124

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.1…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
High

CVE-2022-35724

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2022-08-01
High

CVE-2022-35922

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. Th…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2022-31173

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Use…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-07-22
High

CVE-2022-31162

Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting wa…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-06-13
Critical

CVE-2022-31053

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ…

CVSS: 9.8 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2022-05-20
Medium

CVE-2022-29185

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could t…

CVSS: 4.2 CWE: CWE-203 - Observable Discrepancy View on NVD
2022-03-26
Medium

CVE-2022-27943

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

CVSS: 5.5 CWE: CWE-674 - Uncontrolled Recursion View on NVD
2022-03-08
High

CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted i…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-02-15
High

CVE-2022-23639

crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that t…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2022-01-20
High

CVE-2022-21658

Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_d…

CVSS: 7.3 CWE: CWE-363 - Race Condition Enabling Link Following View on NVD
2022-01-14
Medium

CVE-2021-46195

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessiv…

CVSS: 5.5 CWE: CWE-674 - Uncontrolled Recursion View on NVD
2021-12-27
High

CVE-2021-45711

An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-45710

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Critical

CVE-2021-45709

An issue was discovered in the crypto2 crate through 2021-10-08 for Rust. During Chacha20 encryption and decryption, an unaligned read of a u32 may occur.

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
High

CVE-2021-45708

An issue was discovered in the abomonation crate through 2021-10-17 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Critical

CVE-2021-45707

An issue was discovered in the nix crate 0.16.0 and later before 0.20.2, 0.21.x before 0.21.2, and 0.22.x before 0.22.2 for Rust. unistd::getgrouplist has an out-of-bounds write if a user is in more…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2021-45706

An issue was discovered in the zeroize_derive crate before 1.1.1 for Rust. Dropped memory is not zeroed out for an enum.

CVSS: 9.8 CWE: CWE-459 - Incomplete Cleanup View on NVD
Critical

CVE-2021-45705

An issue was discovered in the nanorand crate before 0.6.1 for Rust. There can be multiple mutable references to the same object because the TlsWyRand Deref implementation dereferences a raw pointer.

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2021-45704

An issue was discovered in the metrics-util crate before 0.7.0 for Rust. There is a data race and memory corruption because AtomicBucket<T> unconditionally implements the Send and Sync traits.

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Critical

CVE-2021-45703

An issue was discovered in the tectonic_xdv crate before 0.1.12 for Rust. XdvParser::<T>::process may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-45702

An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A merge operation may result in a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2021-45701

An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A patch operation may result in a use-after-free.

CVSS: 9.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45700

An issue was discovered in the ckb crate before 0.40.0 for Rust. Attackers can cause a denial of service (Nervos CKB blockchain node crash) via a dead call that is used as a DepGroup.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2021-45699

An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory f…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Critical

CVE-2021-45698

An issue was discovered in the ckb crate before 0.40.0 for Rust. A get_block_template RPC call may fail in situations where it is supposed to select a Nervos CKB blockchain transaction with a higher…

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2021-45697

An issue was discovered in the molecule crate before 0.7.2 for Rust. A FixVec partial read has an incorrect result.

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2021-45696

An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for Rust. Hashes of long messages may be incorrect when the AVX2-accelerated backend is used.

CVSS: 9.8 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Critical

CVE-2021-45695

An issue was discovered in the mopa crate through 2021-06-01 for Rust. It incorrectly relies on Trait memory layout, possibly leading to future occurrences of arbitrary code execution or ASLR bypass.

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2021-45694

An issue was discovered in the rdiff crate through 2021-02-03 for Rust. Window may read from uninitialized memory locations.

CVSS: 7.5 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45693

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45692

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_extension_others may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45691

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45690

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_binary may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45689

An issue was discovered in the gfx-auxil crate through 2021-01-07 for Rust. gfx_auxil::read_spirv may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45688

An issue was discovered in the ash crate before 0.33.1 for Rust. util::read_spv may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45687

An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. If the serialize feature is used (which is not the the default), a Deserialize operation may lack sufficient validation, leading…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2021-45686

An issue was discovered in the csv-sniffer crate through 2021-01-05 for Rust. preamble_skipcount may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45685

An issue was discovered in the columnar crate through 2021-01-07 for Rust. ColumnarReadExt::read_typed_vec may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45684

An issue was discovered in the flumedb crate through 2021-01-07 for Rust. read_entry may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45683

An issue was discovered in the binjs_io crate through 2021-01-03 for Rust. The Read method may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2021-45682

An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-45681

An issue was discovered in the derive-com-impl crate before 0.1.2 for Rust. An invalid reference (and memory corruption) can occur because AddRef might not be called before returning a pointer.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-45680

An issue was discovered in the vec-const crate before 2.0.0 for Rust. It tries to construct a Vec from a pointer to a const slice, leading to memory corruption.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2020-36514

An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2020-36513

An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. read_up_to may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
Critical

CVE-2020-36512

An issue was discovered in the buffoon crate through 2020-12-31 for Rust. InputStream::read_exact may read from uninitialized memory locations.

CVSS: 9.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2020-36511

An issue was discovered in the bite crate through 2020-12-31 for Rust. read::BiteReadExpandedExt::read_framed_max may read from uninitialized memory locations.

CVSS: 7.5 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2019-25055

An issue was discovered in the libpulse-binding crate before 2.6.0 for Rust. It mishandles a panic that crosses a Foreign Function Interface (FFI) boundary.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2019-25054

An issue was discovered in the pnet crate before 0.27.2 for Rust. There is a segmentation fault (upon attempted dereference of an uninitialized descriptor) because of an erroneous IcmpTransportChanne…

CVSS: 7.5 CWE: CWE-909 - Missing Initialization of Resource View on NVD
High

CVE-2018-25028

An issue was discovered in the libpulse-binding crate before 1.2.1 for Rust. get_context can cause a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2018-25027

An issue was discovered in the libpulse-binding crate before 1.2.1 for Rust. get_format_info can cause a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2018-25026

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can add the Send marker trait to an object that cannot be sent between threads safely, leading to memory corruption.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2018-25025

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly extend the lifetime of a string, leading to memory corruption.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2018-25024

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2018-25023

An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.

CVSS: 7.5 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
2021-12-26
High

CVE-2021-45720

An issue was discovered in the lru crate before 0.7.1 for Rust. The iterators have a use-after-free, as demonstrated by an access after a pop operation.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45719

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. update_hook has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45718

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. rollback_hook has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45717

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. commit_hook has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45716

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_collation has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45715

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_window_function has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45714

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_aggregate_function has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45713

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_scalar_function has a use-after-free.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-45712

An issue was discovered in the rust-embed crate before 6.3.0 for Rust. A ../ directory traversal can sometimes occur in debug mode.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-11-15
High

CVE-2021-43620

An issue was discovered in the fruity crate through 0.2.0 for Rust. Security-relevant validation of filename extensions is plausibly affected. Methods of NSString for conversion to a string may retur…

CVSS: 7.5 CWE: N/A View on NVD
2021-10-19
High

CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names…

CVSS: 8.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2021-41149

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when cac…

CVSS: 8.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-10-18
High

CVE-2021-41153

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to G…

CVSS: 8.7 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
2021-09-17
Medium

CVE-2021-39219

Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which fun…

CVSS: 6.3 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
2021-08-10
High

CVE-2021-38512

An issue was discovered in the actix-http crate before 3.0.0-beta.9 for Rust. HTTP/1 request smuggling (aka HRS) can occur, potentially leading to credential disclosure.

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD