Skip to main content

Thin Vec

1 CVEs product

Monthly

CVE-2026-6654 Cargo MEDIUM PATCH GHSA This Month

Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).

Information Disclosure Thin Vec
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).

Information Disclosure Thin Vec
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy