Listen to this Post
The vulnerability arises from an integer overflow in the internal `buffer_len(cap)` helper function of the `smallbitvec` crate. The function computes the required allocation size as (cap + bits_per_storage() - 1) / bits_per_storage(). When `cap` is near usize::MAX, the addition `cap + bits_per_storage() – 1` wraps around to a very small value due to Rust’s default wrapping semantics in release builds. This leads to an undersized heap allocation. However, the internal metadata that tracks logical length and capacity remains set to the large requested size. Subsequent safe API calls like set(), push(), or `reserve()` rely on this corrupted metadata and perform index bounds checks that assume a much larger buffer than actually allocated. These operations eventually reach unsafe internal code paths (pointer arithmetic, unchecked indexing), causing out-of-bounds memory access. The overflow is triggered entirely through safe API calls without requiring unsafe code from the caller.
DailyCVE Form
Platform: Rust smallbitvec
Version: 2.5.x affected
Vulnerability: integer overflow
Severity: High
date: 2026-05-06
Prediction: Patch version 2.6.0
Analytics – What Undercode Say
Detect vulnerable version
cargo tree | grep smallbitvec
Test for overflow using PoC (requires nightly)
cat <<EOF > poc.rs
![forbid(unsafe_code)]
use smallbitvec::SmallBitVec;
fn main() {
let mut v = SmallBitVec::from_elem(usize::MAX, false);
v.set(0, true);
}
EOF
Build and run with ASAN
RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release
Run with Miri
cargo +nightly miri run --release
Exploit
Trigger integer overflow by calling `SmallBitVec::from_elem(usize::MAX, false)` or reserve(usize::MAX - 10). This causes undersized allocation, leading to heap buffer overflow when later writing via set().
Protection from this CVE
Update to smallbitvec >= 2.6.0. If patching is not possible, avoid constructing bit vectors with capacity near `usize::MAX` and disable release builds until upgrade.
Impact
Heap buffer overflow, ASAN-observable, undefined behavior (Miri detectable), potential memory corruption leading to RCE.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
