An issue was discovered in the calamine crate before 0.17.0 for Rust. It allows attackers to overwrite heap-memory locations because Vec::set_len is used without proper memory claiming, and this uninitialized memory is used for a user-provided Read operation, as demonstrated by Sectors::get.
{ "nvd_published_at": "2021-02-09T23:15:00Z", "github_reviewed_at": "2021-08-19T17:35:56Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-787" ] }