Skip to main content

Thin Vec EUVDEUVD-2026-23832

| CVE-2026-6654 MEDIUM
Double Free (CWE-415)
2026-04-20 mozilla GHSA-xphw-cqx3-667j
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
7.3 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 21, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 20, 2026 - 14:22 vuln.today
CVSS changed
Apr 20, 2026 - 14:22 NVD
5.1 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 10:45 euvd
EUVD-2026-23832
Analysis Generated
Apr 20, 2026 - 10:45 vuln.today
CVE Published
Apr 20, 2026 - 10:05 nvd
MEDIUM 5.1

DescriptionNVD

Double-Free / Use-After-Free (UAF) in the IntoIter::drop and ThinVec::clear functions in the thin_vec crate. A panic in ptr::drop_in_place skips setting the length to zero.

AnalysisAI

Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).

Technical ContextAI

The thin_vec crate provides a space-optimized vector implementation for Rust applications. The vulnerability resides in memory management routines, specifically the drop implementation for IntoIter and the clear method for ThinVec. When drop_in_place panics during element destruction, the exception handling path fails to decrement the vector's length field, leaving the internal state inconsistent - the allocator believes the vector contains valid elements when it actually points to freed memory. Subsequent accesses to this corrupted vector structure trigger use-after-free conditions. CWE-415 classifies this as a double-free/use-after-free defect, a memory safety violation critical in systems code but contained in Rust by the type system when exploitation is attempted across safe API boundaries.

RemediationAI

Update thin_vec to the patched version released by Mozilla - consult the GitHub Security Advisory (https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j) for the exact fixed version number and run cargo update thin_vec to pull the fix into your project. No known workarounds exist for this memory safety issue short of removing thin_vec dependency; however, applications can reduce immediate risk by auditing usage of thin_vec in unsafe blocks and eliminating any code that deliberately constructs panic conditions during drop. For projects where immediate upgrade is infeasible, restrict thin_vec usage to non-sensitive data structures and avoid exposing vector internals to untrusted input that could trigger panics; note that this mitigation is defense-in-depth only and does not eliminate the vulnerability.

Vendor StatusVendor

Share

EUVD-2026-23832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy