CVE-2021-26951: Out of bounds write in calamine

August 25, 2021 (updated April 26, 2022)

An issue was discovered in the calamine crate before 0.17.0 for Rust. It allows attackers to overwrite heap-memory locations because Vec::set_len is used without proper memory claiming, and this uninitialized memory is used for a user-provided Read operation, as demonstrated by Sectors::get.

References

github.com/advisories/GHSA-ppqp-78xx-3r38
github.com/tafia/calamine
github.com/tafia/calamine/issues/199
nvd.nist.gov/vuln/detail/CVE-2021-26951
rustsec.org/advisories/RUSTSEC-2021-0015.html

Detect and mitigate CVE-2021-26951 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →