CVE-2019-16139:
Out of bounds access in compact_arena
9.8
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
compact_arena | rust | < 0.4.0 | 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper generativity implementation in arena creation. The RustSec advisory explicitly lists SmallArena::new as a vulnerable function. The new() method's failure to properly establish invariant lifetimes allowed arena instances to share compatible type signatures, enabling index mixing between arenas. This matches the CWE-125/787 descriptions of out-of-bounds access and the reproduction example showing arena index cross-use.