CVE-2019-16139: Out of bounds access in compact_arena

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate did not properly implement the generativity, because the invariant lifetimes were not necessarily dropped.

This allows an attacker to mix up two arenas, using indices created from one arena with another one. This might lead to an out-of-bounds read or write access into the memory reserved for the arena.

The flaw was corrected by implementing generativity correctly in version 0.4.0.

References

github.com/advisories/GHSA-7j36-gc4r-9x3r
github.com/llogiq/compact_arena
github.com/llogiq/compact_arena/issues/22
nvd.nist.gov/vuln/detail/CVE-2019-16139
rustsec.org/advisories/RUSTSEC-2019-0015.html

Detect and mitigate CVE-2019-16139 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →