Description
Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption (UAF/Dereference)
Action: Update library
AI Analysis

Impact

The thin_vec crate contains an internal data structure ThinVec with IntoIter::drop and ThinVec::clear. If an element’s drop function panics while iterating or clearing, the drop logic fails to set the length to zero, leaving a dangling pointer. This leads to a double free or use‑after‑free vulnerability (CWE‑415 and CWE‑416). The resulting memory corruption can cause program crashes or other unintended behavior.

Affected Systems

Mozilla thin-vec – all versions prior to the patch are affected; no specific version information is provided in the advisory.

Risk and Exploitability

The CVSS score is 5.1, and the EPSS score is less than 1%, indicating a low exploitation probability. The CVE is not listed in the CISA KEV catalog. The risk cannot be fully evaluated until a fix is released.

Generated by OpenCVE AI on April 20, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the thin-vec crate to the latest release once a patch is available.
  • Add a defensive check that resets the vector length to zero before dropping elements, or replace the drop implementation with custom logic to avoid double free when panics occur.
  • Enable runtime memory checking (e.g., address sanitizer or other tools) to detect double free or use‑after‑free incidents during development and testing.

Generated by OpenCVE AI on April 20, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thin-vec
Vendors & Products Mozilla
Mozilla thin-vec

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 20 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.
Title Use-After-Free and Double-Free in IntoIter::drop when element drop panics
References

Subscriptions

Mozilla Thin-vec
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-20T13:14:37.846Z

Reserved: 2026-04-20T07:02:28.158Z

Link: CVE-2026-6654

cve-icon Vulnrichment

Updated: 2026-04-20T13:14:31.022Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T11:16:19.937

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-6654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses