CVE-2021-25902: Double free in glsl-layout

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate did not guard against panic within the user-provided function f (2nd parameter of fn map_array), and thus panic within f causes double drop of a single object.

The flaw was corrected in the 0.4.0 release by wrapping the object vulnerable to a double drop within ManuallyDrop.

References

github.com/advisories/GHSA-cx4j-fxr7-jxg8
github.com/rustgd/glsl-layout
github.com/rustgd/glsl-layout/pull/10
nvd.nist.gov/vuln/detail/CVE-2021-25902
rustsec.org/advisories/RUSTSEC-2021-0005.html

Detect and mitigate CVE-2021-25902 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →