CVE-2021-29936 – This vulnerability in the adtensor Rust crate a... (How to Fix)

Q: What is the severity of CVE-2021-29936?

CVE-2021-29936 has a CVSS score of 9.8 (CRITICAL). This vulnerability in the adtensor Rust crate allows attackers to trigger use of uninitialized memory through the FromIterator implementation for Vector and Matrix types. This can lead to memory corruption, crashes, or potential code execution. Any Rust application using vulnerable versions of the adtensor crate is affected.

📋 TL;DR

This vulnerability in the adtensor Rust crate allows attackers to trigger use of uninitialized memory through the FromIterator implementation for Vector and Matrix types. This can lead to memory corruption, crashes, or potential code execution. Any Rust application using vulnerable versions of the adtensor crate is affected.

💻 Affected Systems

Products:

adtensor Rust crate

Versions: All versions through 2021-01-11

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rust application that imports and uses the adtensor crate is vulnerable.

📦 What is this software?

Adtensor by Adtensor Project

View all CVEs affecting Adtensor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes, denial of service, or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Application crashes without code execution if memory protections are enabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific inputs to trigger the uninitialized memory drop.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to adtensor crate version after 2021-01-11

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0045.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use adtensor version > 0.1.0 (post-2021-01-11). 2. Run 'cargo update adtensor'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Remove adtensor dependency

all

Temporarily remove or replace the adtensor crate with alternative tensor libraries.

cargo remove adtensor

🧯 If You Can't Patch

Isolate affected applications in network segments with strict egress filtering.
Implement application-level input validation and sanitization for all tensor operations.

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for adtensor dependency with version <= 0.1.0 (2021-01-11).

Check Version:

grep adtensor Cargo.toml && grep -A2 -B2 adtensor Cargo.lock

Verify Fix Applied:

Verify adtensor version in Cargo.lock is > 0.1.0 and no longer shows in 'cargo audit'.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Segmentation faults in Rust applications

Network Indicators:

Unusual outbound connections from Rust applications post-crash

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "memory corruption" OR "adtensor")

📊 Metadata

CVE ID: CVE-2021-29936

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-908

Published: April 1, 2021

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2021-0045.html Exploit,Vendor Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0045.html Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29936, you might also want to check these: