CVE-2021-45714: Use After Free in rusqlite
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51056%
CWE
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rusqlite | rust | >= 0.25.0, < 0.25.4 | 0.25.4 |
rusqlite | rust | >= 0.26.0, < 0.26.2 | 0.26.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The RustSec advisory RUSTSEC-2021-0128 explicitly lists these functions
as vulnerable due to incorrect lifetime bounds on closure parameters. The GitHub issue #1048 provides a concrete demonstration of the UAF vulnerability in update_hook
. All listed functions
share the same pattern of registering callbacks that might outlive their captured environment due to overly relaxed lifetime constraints. The advisory's detailed function
list combined with reproduction evidence gives high confidence in these identifications.