CVE-2019-15554: Memory corruption in smallvec

August 25, 2021 (updated June 13, 2023)

Attempting to call grow on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. An attacker that controls the value passed to grow may exploit this flaw to obtain memory contents or gain remote code execution.

References

github.com/advisories/GHSA-69gw-hgj3-45m7
github.com/servo/rust-smallvec
github.com/servo/rust-smallvec/issues/149
nvd.nist.gov/vuln/detail/CVE-2019-15554
rustsec.org/advisories/RUSTSEC-2019-0012.html

Code Behaviors & Features

Detect and mitigate CVE-2019-15554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →