[Pkg-rust-maintainers] Bug#1134494: rust-thin-vec: CVE-2026-6654
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 20 21:15:19 BST 2026
Source: rust-thin-vec
Version: 0.2.13-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-thin-vec.
CVE-2026-6654[0]:
| Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and
| `ThinVec::clear` functions in the thin_vec crate. A panic in
| `ptr::drop_in_place` skips setting the length to zero.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6654
https://www.cve.org/CVERecord?id=CVE-2026-6654
[1] https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list