Login Sign Up

CVE-2021-28031

9.8 CRITICAL

📋 TL;DR

This vulnerability in the Rust scratchpad crate allows double-free memory corruption when a user-provided function panics during move_elements operations. Attackers could exploit this to execute arbitrary code or cause denial of service. Any Rust application using vulnerable versions of the scratchpad crate is affected.

💻 Affected Systems

Products:
  • Rust applications using scratchpad crate
Versions: scratchpad crate versions < 1.3.1
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Rust applications that use the scratchpad crate's move_elements function with user-provided callbacks that can panic.

📦 What is this software?

Scratchpad by Scratchpad Project

View all CVEs affecting Scratchpad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service due to memory corruption.

🟢

If Mitigated

Limited impact with proper memory isolation and exploit mitigations like ASLR and stack canaries.

🌐 Internet-Facing: HIGH - Exploitable remotely if application processes untrusted input.
🏢 Internal Only: MEDIUM - Requires attacker access to internal systems or malicious input injection.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering a panic in user-provided function during move_elements operation. Proof-of-concept demonstrates crash but full RCE requires additional memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: scratchpad 1.3.1

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0030.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require scratchpad >= 1.3.1. 2. Run 'cargo update' to fetch new version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Avoid panic-prone callbacks

all

Modify code to prevent panics in user-provided functions passed to move_elements

Use catch_unwind

all

Wrap move_elements calls in std::panic::catch_unwind to prevent double-free on panic

🧯 If You Can't Patch

  • Isolate application with strict memory limits and containerization
  • Implement input validation and sanitization to prevent triggering vulnerable code paths

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep scratchpad' to see installed version

Check Version:

grep scratchpad Cargo.lock | head -1

Verify Fix Applied:

Confirm scratchpad version is 1.3.1 or higher in Cargo.lock

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Memory corruption errors in Rust panic logs
  • Unexpected process termination

Network Indicators:

  • Unusual outbound connections after crash
  • Exploit attempt patterns in input data

SIEM Query:

process.name: "your_rust_app" AND (event.type: "crash" OR error.message: "*double free*" OR error.message: "*segmentation fault*")

📊 Metadata

CVE ID: CVE-2021-28031
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: March 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28031, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)