CVE-2021-29929 – This vulnerability in the endian

📋 TL;DR

This vulnerability in the endian_trait Rust crate allows double-free memory corruption when a user-provided Endian implementation panics. This affects Rust applications using vulnerable versions of the endian_trait crate, potentially leading to crashes or arbitrary code execution.

💻 Affected Systems

Products:

Rust applications using endian_trait crate

Versions: endian_trait crate versions through 2021-01-04

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use custom Endian trait implementations that can panic.

📦 What is this software?

Endian Trait by Endian Trait Project

View all CVEs affecting Endian Trait →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service and potential data corruption.

🟢

If Mitigated

Application crash with limited impact due to proper sandboxing and privilege separation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires triggering a panic in user-provided Endian implementation, making reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: endian_trait 0.2.0

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0039.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify endian_trait >= 0.2.0
2. Run 'cargo update' to fetch the patched version
3. Rebuild and redeploy your application

🔧 Temporary Workarounds

Avoid custom Endian implementations

all

Remove or avoid using custom Endian trait implementations that could panic

🧯 If You Can't Patch

Implement input validation to prevent triggering panics in Endian implementations
Run application with memory safety mitigations like ASLR and stack canaries

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for endian_trait version <= 0.1.0 or run 'cargo audit'

Check Version:

grep endian_trait Cargo.lock

Verify Fix Applied:

Verify Cargo.lock shows endian_trait >= 0.2.0 and 'cargo audit' reports no vulnerabilities

📡 Detection & Monitoring

Log Indicators:

Application crashes with double-free or memory corruption errors
Unexpected panics in Endian trait implementations

Network Indicators:

Sudden application unavailability or restart patterns

SIEM Query:

process.name:your_rust_app AND (event.type:crash OR error.message:"double free" OR error.message:panic)

📊 Metadata

CVE ID: CVE-2021-29929

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-415

Published: April 1, 2021

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2021-0039.html Exploit,Vendor Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0039.html Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29929, you might also want to check these: