CVE-2020-35893: Off-by-one error in simple-slab
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55713%
CWE
Published
8/25/2021
Updated
4/6/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simple-slab | rust | < 0.3.3 | 0.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The CVE description explicitly mentions remove() has an off-by-one error. The commit diff shows the vulnerable line 'last_elem_ptr = self.mem.offset(self.len as isize)' was changed to '(self.len - 1)', confirming the off-by-one.
- Issue #2 and advisory descriptions mention index() allowing OOB reads. The commit added 'assert!(index < self.len)' to index(), proving prior lack of bounds checking.
- Both functions are in src/lib.rs as shown in the diff, with clear vulnerability patterns matching CWE-193 (Off-by-one) and CWE-125 (Out-of-bounds read).