N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3632-54q8-m96x

EPSS Score

CWE

CWE-122

Published

9/2/2025

Updated

9/2/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3632-54q8-m96x

GHSA-3632-54q8-m96x: arenavec has multiple memory corruption vulnerabilities in safe APIs

The crate has the following vulnerabilities:

The public trait arenavec::common::AllocHandle allows the return of raw pointers through its methods allocate and allocate_or_extend. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as arenavec::common::SliceVec::push-potentially leading to arbitrary memory access.
The safe API arenavec::common::SliceVec::reserve can reach the private function arenavec::common::allocate_inner. Incorrect behavior in allocate_inner may result in a SliceVec with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between SliceVec.capacity and the actual reserved memory can lead to a heap buffer overflow.
The safe API arenavec::common::SliceVec::split_off can duplicate the ownership of the elements in self (of type SliceVec) if they implement the Drop trait. Specifically, when at == 0, the method returns a new SliceVec with the same length as self. Since both self and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3632-54q8-m96x

EPSS Score

CWE

CWE-122

Published

9/2/2025

Updated

9/2/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
arenavec	rust	<= 0.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis identified multiple memory corruption vulnerabilities in the arenavec crate, stemming from three distinct issues reported on GitHub. Since no patches are available, the analysis is based on the detailed bug reports, which include proofs-of-concept and point to the exact sources of the vulnerabilities.

The root causes are:

Improper Trust (CWE-822): The AllocHandle trait is not declared unsafe, yet the library's internal code makes unsafe assumptions about the validity of pointers returned by user implementations of this trait. This leads to an untrusted pointer dereference in SliceVec::push.
Heap Buffer Overflow (CWE-122): The allocate_inner function, called by SliceVec::reserve, can fail to allocate memory while still increasing the vector's capacity. This causes SliceVec::push to write past the buffer's boundary.
Double Free (CWE-415): The SliceVec::split_off function incorrectly handles ownership when splitting at index 0, leading to two SliceVec instances pointing to the same data. When both are dropped, the data is freed twice.

The identified vulnerable functions are the public APIs that trigger these conditions (push, reserve, split_off) and the underlying trait methods and private functions where the flaws reside (AllocHandle::allocate, AllocHandle::allocate_or_extend, allocate_inner). Any of these functions could appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *r*t* **s t** *ollowin* vuln*r**iliti*s: - T** pu*li* tr*it `*r*n*v**::*ommon::*llo***n*l*` *llows t** r*turn o* r*w point*rs t*rou** its m*t*o*s `*llo**t*` *n* `*llo**t*_or_*xt*n*`. *ow*v*r, t** tr*it is not m*rk** *s uns***, m**nin* us*rs o* t

Reasoning

T** *n*lysis i**nti*i** multipl* m*mory *orruption vuln*r**iliti*s in t** `*r*n*v**` *r*t*, st*mmin* *rom t*r** *istin*t issu*s r*port** on *it*u*. Sin** no p*t***s *r* *v*il**l*, t** *n*lysis is **s** on t** **t*il** *u* r*ports, w*i** in*lu** proo*

N/A

Basic Information

Concerned about an active attack path?

GHSA-3632-54q8-m96x: arenavec has multiple memory corruption vulnerabilities in safe APIs

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI