{"id":"RUSTSEC-2019-0002","summary":"Bug in SliceDeque::move_head_unchecked corrupts its memory","details":"Affected versions of this crate entered a corrupted state if\n`mem::size_of::\u003cT\u003e() % allocation_granularity() != 0` and a specific allocation\npattern was used: sufficiently shifting the deque elements over the mirrored\npage boundary.\n\nThis allows an attacker that controls controls both element insertion and\nremoval to corrupt the deque, such that reading elements from it would read\nbytes corresponding to other elements in the deque. (e.g. a read of T could read\nsome bytes from one value and some bytes from an adjacent one, resulting in a T\nwhose value representation is not meaningful). This is undefined behavior.\n \nThe flaw was corrected by using a pair of pointers to track the head and tail of\nthe deque instead of a pair of indices. This pair of pointers are represented\nusing a Rust slice.","aliases":["CVE-2019-15543","GHSA-c3m3-c39q-pv23"],"modified":"2026-02-04T04:35:48.117957Z","published":"2019-05-07T12:00:00Z","related":["RUSTSEC-2018-0008"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/slice-deque"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2019-0002.html"},{"type":"REPORT","url":"https://github.com/gnzlbg/slice_deque/issues/57"}],"affected":[{"package":{"name":"slice-deque","ecosystem":"crates.io","purl":"pkg:cargo/slice-deque"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"arch":[],"functions":[]}},"database_specific":{"cvss":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2019-0002.json","informational":null,"categories":[]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}