CVE-2021-31996: Double free in algorithmica

August 25, 2021

An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. In the affected versions of this crate, merge_sort::merge() wildly duplicates and drops ownership of T without guarding against double-free. Due to such implementation, simply invoking merge_sort::merge() on Vec<T: Drop> can cause double free bugs.

References

github.com/AbrarNitk/algorithmica/issues/1
github.com/advisories/GHSA-jh37-772x-4hpw
nvd.nist.gov/vuln/detail/CVE-2021-31996
rustsec.org/advisories/RUSTSEC-2021-0053.html

Detect and mitigate CVE-2021-31996 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →