Miggo Logo

CVE-2021-45689: Use of Uninitialized Resource in gfx-auxil

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.61972%
Published
1/6/2022
Updated
6/22/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gfx-auxilrust<= 0.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the read_spirv function's unsafe usage pattern where an uninitialized buffer is passed to a Read implementation. The code uses Vec::with_capacity followed by unsafe pointer manipulation to create a byte slice without initializing memory first. This directly matches the CWE-908 description of using uninitialized resources and aligns with the advisory's specific mention of gfx_auxil::read_spirv as the problematic function. The GitHub issue analysis confirms this pattern and its security implications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* p*ss*s *n uniniti*liz** *u***r to * us*r-provi*** R*** impl*m*nt*tion. *r*itr*ry R*** impl*m*nt*tions **n r*** *rom t** uniniti*liz** *u***r (m*mory *xposur*) *n* *lso **n r*turn in*orr**t num**r o* *yt*s writt*n to t

Reasoning

T** vuln*r**ility st*ms *rom t** r***_spirv *un*tion's uns*** us*** p*tt*rn w**r* *n uniniti*liz** *u***r is p*ss** to * R*** impl*m*nt*tion. T** *o** us*s V**::wit*_**p**ity *ollow** *y uns*** point*r m*nipul*tion to *r**t* * *yt* sli** wit*out init