CVE-2021-28877

rust: memory safety violation in Zip implementation for nested iter::Zips

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.

En la biblioteca estándar en Rust versiones anteriores a 1.51.0, la implementación de Zip llama a la función __iterator_get_unchecked() para el mismo índice más de una vez cuando está anidado. Este bug puede conllevar a una violación de seguridad de la memoria debido a un requisito de seguridad no cumplido para el rasgo TrustedRandomAccess

Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, the cargo-vendor plugin, and required libraries. Issues addressed include buffer overflow, double free, and integer overflow vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-19 CVE Reserved
2021-04-11 CVE Published
2024-08-03 CVE Updated
2025-06-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/rust-lang/rust/pull/80670	2022-11-03

URL	Date	SRC
https://security.gentoo.org/glsa/202210-09	2022-11-03
https://access.redhat.com/security/cve/CVE-2021-28877	2021-08-10
https://bugzilla.redhat.com/show_bug.cgi?id=1949204	2021-08-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Rust-lang Search vendor "Rust-lang"		Rust Search vendor "Rust-lang" for product "Rust"				< 1.51.0 Search vendor "Rust-lang" for product "Rust" and version " < 1.51.0"		-		Affected