UBUNTU-CVE-2018-20991

An issue was discovered in the smallvec crate before 0.6.3 for Rust. The Iterator implementation mishandles destructors, leading to a double free...

CVE-2019-15554

CVE-2019-15554 affects the Rust smallvec crate prior to 0.6.10. The issue is memory corruption when grow is called on a spilled SmallVec with a value smaller than current capacity, with potential to leak memory contents or enable remote code execution per OSV description. No explicit remediation/...

Memory corruption in SmallVec::grow()

Attempting to call grow on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. An attacker that controls the value passed to grow may exploit this flaw to obtain memory contents or gain remote code execution. Credits to @ehuss for...

Double-free and use-after-free in SmallVec::grow()

Attempting to call grow on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. An attacker that controls the value passed to grow...

RUSTSEC-2019-0009 Double-free and use-after-free in SmallVec::grow()

Attempting to call grow on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. An attacker that controls the value passed to grow...

smallvec creates uninitialized value of any type

Affected versions of this crate called mem::uninitialized to create values of a user-supplied type T. This is unsound e.g. if T is a reference type which must be non-null and thus may not remain uninitialized. The flaw was corrected by avoiding the use of mem::uninitialized, using MaybeUninit...

Possible double free during unwinding in SmallVec::insert_many

If an iterator passed to SmallVec::insertmany panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free a destructor running on two copies of the same value. This is fixed in smallvec 0.6.3 by ensuring that the...

Boa (>=0.9.0 <=0.10.0), GetPDB (>=0.1.0 <=1.0.1) +5081 more potentially affected by CVE-2018-20991 via smallvec (>=0.6.13 <=0.6.14)

smallvec CARGO version =0.6.13, =0.9.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =0.2.0, =0.5.3, =0.1.0, =0.5.0, =0.5.0, =0.5.2 and more Source cves: CVE-2018-20991 Source advisory: OSV:RUSTSEC-2018-0003...

RUSTSEC-2018-0003 Possible double free during unwinding in SmallVec::insert_many

If an iterator passed to SmallVec::insertmany panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free a destructor running on two copies of the same value. This is fixed in smallvec 0.6.3 by ensuring that the...