CVE-2021-29940 – This vulnerability in the Rust 'through' crate ... (How to Fix)

Q: What is the severity of CVE-2021-29940?

CVE-2021-29940 has a CVSS score of 9.8 (CRITICAL). This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map function panics. Attackers could exploit this to execute arbitrary code or crash applications. Any Rust application using the affected through crate versions is vulnerable.

📋 TL;DR

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map function panics. Attackers could exploit this to execute arbitrary code or crash applications. Any Rust application using the affected through crate versions is vulnerable.

💻 Affected Systems

Products:

Rust through crate

Versions: All versions through 2021-02-18

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications that use the through or through_and functions with map operations that can panic are vulnerable.

📦 What is this software?

Through by Through Project

View all CVEs affecting Through →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes causing denial of service and potential memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

Limited impact if applications run with memory safety protections like ASLR and DEP, though crashes may still occur.

🌐 Internet-Facing: HIGH - Applications exposed to untrusted input could be remotely exploited if they trigger the vulnerable map function.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering a panic in the map function, which may be possible with crafted input. The advisory includes proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to through crate version after 2021-02-18

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0049.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use through crate version > 2021-02-18. 2. Run 'cargo update --package through'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Avoid panic-prone map functions

all

Modify code to avoid using map functions that could panic with the through crate

Pin older version with patch

all

If you must use older versions, apply the fix from the advisory manually

cargo update --package through --precise <fixed-version>

🧯 If You Can't Patch

Isolate affected applications in containers or VMs with minimal privileges
Implement network segmentation to limit attack surface and monitor for crash events

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for through crate version <= 0.3.6 or date <= 2021-02-18

Check Version:

grep through Cargo.lock | grep version

Verify Fix Applied:

Verify through crate version > 0.3.6 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Application crashes with double-free errors
Panic messages from through crate map operations

Network Indicators:

Unusual traffic patterns to applications using through crate

SIEM Query:

source="application.logs" AND ("double free" OR "through crate panic")

📊 Metadata

CVE ID: CVE-2021-29940

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-415

Published: April 1, 2021

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2021-0049.html Exploit,Vendor Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0049.html Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29940, you might also want to check these: