The vulnerability resides in the internal capacity calculation of a resizeable bit‑vector library, where an integer overflow generates an undersized heap allocation. This results in a heap buffer overflow that can corrupt arbitrary memory. The flaw is exposed through the library’s safe API, so callers do not need to use unsafe Rust code to exploit it. The direct impact is that an attacker who can influence the size of a bit‑vector instance may cause the program to read or write beyond its intended bounds.

The affected component is the smallbitvec crate, a growable bit‑vector implementation from the Servo project. Versions from 1.0.1 up to and including 2.6.0 inherit the bug. The issue was resolved in version 2.6.1, which corrects the capacity calculation to prevent the overflow.

The CVSS score of 7.3 indicates a moderately high severity. No exploit probability (EPSS) data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to trigger the smallbitvec capacity calculation with a value that overflows, typically by supplying a large input to code that constructs or resizes a bit‑vector. While the flaw can be triggered from user‑controlled data, it requires an ability to create the vulnerable object, making remote exploitation less straightforward but still plausible in contexts where the library processes external input.