Miggo Logo
Miggo Vulnerability Database
CVE-2021-28033

CVE-2021-28033:
Deserializing an array can free uninitialized memory in byte_struct

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28033
GHSA ID
GHSA-8fgg-5v78-6g76
EPSS Score
0.63189%
CWE
CWE-119
Published
8/25/2021
Updated
3/31/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
byte_structrust< 0.6.10.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe memory initialization patterns in array deserialization functions. The commit diff shows both functions were using std::mem::uninitialized() followed by pointer writes in a loop, which creates a partially initialized array if any element deserialization panics. The patch replaced this with safe initialization via Vec collection and try_into(), confirming these were the vulnerable functions. The CWE-908 (Uninitialized Resource) mapping and GitHub issue reproduction both directly implicate these array deserialization methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*yt*_stru*t st**k *n* unp**k stru*tur* *s r*w *yt*s wit* p**k** or *it *i*l* l*yout. *n issu* w*s *is*ov*r** in t** *yt*_stru*t *r*t* ***or* *.*.* *or Rust. T**r* **n ** * *rop o* uniniti*liz** m*mory i* * **rt*in **s*ri*liz*tion m*t*o* p*ni*s.

Reasoning

T** vuln*r**ility st*ms *rom uns*** m*mory initi*liz*tion p*tt*rns in *rr*y **s*ri*liz*tion *un*tions. T** *ommit *i** s*ows *ot* *un*tions w*r* usin* `st*::m*m::uniniti*liz**()` *ollow** *y point*r writ*s in * loop, w*i** *r**t*s * p*rti*lly initi*l