CVE-2021-28033: Deserializing an array can free uninitialized memory in byte_struct

August 25, 2021 (updated May 4, 2022)

Byte_struct stack and unpack structure as raw bytes with packed or bit field layout. An issue was discovered in the byte_struct crate before 0.6.1 for Rust. There can be a drop of uninitialized memory if a certain deserialization method panics.

References

github.com/advisories/GHSA-8fgg-5v78-6g76
github.com/wwylele/byte-struct-rs
github.com/wwylele/byte-struct-rs/commit/a535678377de12bc6bc22620c5f59bcc1369f76f
github.com/wwylele/byte-struct-rs/issues/1
nvd.nist.gov/vuln/detail/CVE-2021-28033
rustsec.org/advisories/RUSTSEC-2021-0032.html

Detect and mitigate CVE-2021-28033 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →