GHSA-97wc-2hqc-cjgr

Suggest an improvement
Source
https://github.com/advisories/GHSA-97wc-2hqc-cjgr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-97wc-2hqc-cjgr/GHSA-97wc-2hqc-cjgr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-97wc-2hqc-cjgr
Aliases
  • CVE-2026-44983
Published
2026-05-09T00:02:47Z
Modified
2026-05-09T00:19:03.642261Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
smallbitvec: Integer overflow in safe API leads to heap buffer overflow
Details

Summary

An integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller.

Details

The issue originates from unchecked arithmetic in the internal helper function responsible for computing the required buffer size:

(cap + bits_per_storage() - 1) / bits_per_storage()

When cap is close to usize::MAX, the addition:

cap + bits_per_storage() - 1

can overflow in release builds and wrap around due to Rust’s default wrapping semantics for integer overflow in optimized builds.

As a result: - buffer_len(cap) may return a value significantly smaller than required. - The backing storage is allocated with insufficient size. - Internal metadata (logical length/capacity) reflects a much larger size than the actual allocation.

Subsequent safe API calls (e.g., set, push, reserve) rely on this corrupted metadata and perform index computations that assume sufficient backing storage. These operations eventually reach unsafe internal code paths (e.g., pointer arithmetic and unchecked indexing), leading to out-of-bounds memory access.

Summary of the issue: integer overflow → undersized allocation → inconsistent metadata (len/cap vs actual buffer) → unsafe internal access using corrupted metadata → heap buffer overflow (UB)

PoC

PoC 1: Out-of-bounds write via from_elem

#![forbid(unsafe_code)]

use smallbitvec::SmallBitVec;

fn main() {
    // Triggers overflow in buffer_len(cap)
    let mut v = SmallBitVec::from_elem(usize::MAX, false);

    // Logical length is large, but backing storage is undersized
    // This leads to out-of-bounds write in unsafe internals
    v.set(0, true);
}

PoC 2: Overflow via reserve

#![forbid(unsafe_code)]

use smallbitvec::SmallBitVec;

fn main() {
    let mut v = SmallBitVec::new();
    v.push(true);

    // Triggers overflow in capacity computation
    v.reserve(usize::MAX - 10);
}

Impact

  • Heap buffer overflow via safe API only
  • ASAN-observable heap-buffer-overflow
  • Undefined Behavior detectable with Miri (e.g., out-of-bounds indexing due to corrupted metadata)

Tested on

  • rustc 1.96.0-nightly (9602bda1d 2026-04-05)
  • Target: x86_64-unknown-linux-gnu
  • Build: release
  • ASAN: RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release
  • Miri: cargo +nightly miri run --release
Database specific 
{
    "github_reviewed_at": "2026-05-09T00:02:47Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-122",
        "CWE-190"
    ]
}
References

Affected packages

crates.io / smallbitvec

Package

Name
smallbitvec
View open source insights on deps.dev
Purl
pkg:cargo/smallbitvec

Affected ranges

Type
SEMVER
Events
Introduced
1.0.1
Last affected
2.6.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-97wc-2hqc-cjgr/GHSA-97wc-2hqc-cjgr.json"