smallbitvec CVE-2026-44983
HIGH
GHSA-97wc-2hqc-cjgr
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
3DescriptionNVD
Summary
An integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller.
Details
The issue originates from unchecked arithmetic in the internal helper function responsible for computing the required buffer size:
(cap + bits_per_storage() - 1) / bits_per_storage()When cap is close to usize::MAX, the addition:
cap + bits_per_storage() - 1can overflow in release builds and wrap around due to Rust’s default wrapping semantics for integer overflow in optimized builds.
As a result:
buffer_len(cap)may return a value significantly smaller than required.- The backing storage is allocated with insufficient size.
- Internal metadata (logical length/capacity) reflects a much larger size than the actual allocation.
Subsequent safe API calls (e.g., set, push, reserve) rely on this corrupted metadata and perform index computations that assume sufficient backing storage. These operations eventually reach unsafe internal code paths (e.g., pointer arithmetic and unchecked indexing), leading to out-of-bounds memory access.
Summary of the issue: integer overflow → undersized allocation → inconsistent metadata (len/cap vs actual buffer) → unsafe internal access using corrupted metadata → heap buffer overflow (UB)
PoC
#### PoC 1: Out-of-bounds write via from_elem
#![forbid(unsafe_code)]
use smallbitvec::SmallBitVec;
fn main() {
// Triggers overflow in buffer_len(cap)
let mut v = SmallBitVec::from_elem(usize::MAX, false);
// Logical length is large, but backing storage is undersized
// This leads to out-of-bounds write in unsafe internals
v.set(0, true);
}#### PoC 2: Overflow via reserve
#![forbid(unsafe_code)]
use smallbitvec::SmallBitVec;
fn main() {
let mut v = SmallBitVec::new();
v.push(true);
// Triggers overflow in capacity computation
v.reserve(usize::MAX - 10);
}Impact
- Heap buffer overflow via safe API only
- ASAN-observable heap-buffer-overflow
- Undefined Behavior detectable with Miri (e.g., out-of-bounds indexing due to corrupted metadata)
Tested on
- rustc 1.96.0-nightly (9602bda1d 2026-04-05)
- Target: x86_64-unknown-linux-gnu
- Build: release
- ASAN:
RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release - Miri:
cargo +nightly miri run --release
AnalysisAI
Integer overflow in Rust crate smallbitvec allows heap buffer overflow through safe API calls when capacity values approach usize::MAX. The vulnerability affects versions 1.0.1 through 2.6.0 and enables memory corruption without requiring unsafe code blocks, violating Rust's memory safety guarantees. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all internal and third-party dependencies on smallbitvec (1.0.1-2.6.0) using dependency scanning tools (cargo-tree, SBOM analysis). Within 7 days: Isolate affected systems from untrusted input sources or restrict to read-only operations pending vendor patch; engage smallbitvec maintainers to confirm remediation timeline. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today