Miggo Logo

CVE-2021-45718: Use After Free in rusqlite

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.51056%
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rusqliterust>= 0.25.0, < 0.25.40.25.4
rusqliterust>= 0.26.0, < 0.26.20.26.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect lifetime bounds on closure parameters in multiple callback registration functions. The RustSec advisory explicitly lists these 7 functions across hooks, functions, and collation features. The GitHub issue #1048 provides a concrete reproduction using update_hook, while CVE description specifically calls out rollback_hook. All listed functions share the same pattern of accepting closures that could outlive their captured environments due to insufficient lifetime constraints, enabling use-after-free scenarios when SQLite later invokes these callbacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** rusqlit* *r*t* *.**.x ***or* *.**.* *n* *.**.x ***or* *.**.* *or Rust. roll***k_*ook **s * us*-**t*r-*r**.

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t li**tim* *oun*s on *losur* p*r*m*t*rs in multipl* **ll***k r**istr*tion *un*tions. T** RustS** **visory *xpli*itly lists t**s* * *un*tions **ross *ooks, *un*tions, *n* *oll*tion ***tur*s. T** *it*u* issu* #****