Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionNVD
Double-Free / Use-After-Free (UAF) in the IntoIter::drop and ThinVec::clear functions in the thin_vec crate. A panic in ptr::drop_in_place skips setting the length to zero.
AnalysisAI
Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).
Technical ContextAI
The thin_vec crate provides a space-optimized vector implementation for Rust applications. The vulnerability resides in memory management routines, specifically the drop implementation for IntoIter and the clear method for ThinVec. When drop_in_place panics during element destruction, the exception handling path fails to decrement the vector's length field, leaving the internal state inconsistent - the allocator believes the vector contains valid elements when it actually points to freed memory. Subsequent accesses to this corrupted vector structure trigger use-after-free conditions. CWE-415 classifies this as a double-free/use-after-free defect, a memory safety violation critical in systems code but contained in Rust by the type system when exploitation is attempted across safe API boundaries.
RemediationAI
Update thin_vec to the patched version released by Mozilla - consult the GitHub Security Advisory (https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j) for the exact fixed version number and run cargo update thin_vec to pull the fix into your project. No known workarounds exist for this memory safety issue short of removing thin_vec dependency; however, applications can reduce immediate risk by auditing usage of thin_vec in unsafe blocks and eliminating any code that deliberately constructs panic conditions during drop. For projects where immediate upgrade is infeasible, restrict thin_vec usage to non-sensitive data structures and avoid exposing vector internals to untrusted input that could trigger panics; note that this mitigation is defense-in-depth only and does not eliminate the vulnerability.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23832
GHSA-xphw-cqx3-667j