CVE-2021-28032: Use after free in nano_arena

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate assumed that Borrow was guaranteed to return the same value on .borrow(). The borrowed index value was used to retrieve a mutable reference to a value.

If the Borrow implementation returned a different index, the split arena would allow retrieving the index as a mutable reference creating two mutable references to the same element. This violates Rust’s aliasing rules and allows for memory safety issues such as writing out of bounds and use-after-frees.

The flaw was corrected in commit 6b83f9d by storing the .borrow() value in a temporary variable.

References

github.com/advisories/GHSA-wp34-mqw5-jj85
github.com/bennetthardwick/nano-arena
github.com/bennetthardwick/nano-arena/commit/6b83f9d0708337a9f8b709c1624a8587021ceba2
github.com/bennetthardwick/nano-arena/issues/1
nvd.nist.gov/vuln/detail/CVE-2021-28032
rustsec.org/advisories/RUSTSEC-2021-0031.html

Detect and mitigate CVE-2021-28032 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →