CVE-2021-45716 – This vulnerability in the rusqlite Rust crate i... (How to Fix)

Q: What is the severity of CVE-2021-45716?

CVE-2021-45716 has a CVSS score of 7.5 (HIGH). This vulnerability in the rusqlite Rust crate involves a use-after-free bug in the create_collation function. Attackers could exploit this to execute arbitrary code or cause denial of service in applications using vulnerable versions. Rust applications that use rusqlite for SQLite database operations are affected.

📋 TL;DR

This vulnerability in the rusqlite Rust crate involves a use-after-free bug in the create_collation function. Attackers could exploit this to execute arbitrary code or cause denial of service in applications using vulnerable versions. Rust applications that use rusqlite for SQLite database operations are affected.

💻 Affected Systems

Products:

rusqlite Rust crate

Versions: 0.25.x before 0.25.4, 0.26.x before 0.26.2

Operating Systems: All platforms where Rust applications run

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications that use the create_collation function are vulnerable, but many rusqlite users may use this functionality.

📦 What is this software?

Rusqlite by Rusqlite Project

View all CVEs affecting Rusqlite →

Rusqlite by Rusqlite Project

View all CVEs affecting Rusqlite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Application crash or denial of service, potentially allowing limited memory corruption.

🟢

If Mitigated

Minimal impact if proper memory safety controls and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions but could affect web services using rusqlite.

🏢 Internal Only: LOW - Requires local access or specific application functionality to trigger.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the specific use-after-free condition through application logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.25.4 or 0.26.2

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0128.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify rusqlite >=0.25.4 or >=0.26.2. 2. Run 'cargo update'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Avoid create_collation function

all

Temporarily remove or avoid using the create_collation function in your code.

🧯 If You Can't Patch

Implement strict input validation and sanitization for database operations
Run application with memory safety protections (ASLR, DEP) and in sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep rusqlite' to see installed version.

Check Version:

cargo tree | grep rusqlite

Verify Fix Applied:

Verify rusqlite version is 0.25.4+ or 0.26.2+ in Cargo.lock after update.

📡 Detection & Monitoring

Log Indicators:

Application crashes, segmentation faults, or abnormal termination related to database operations

Network Indicators:

Unusual database query patterns or connection attempts

SIEM Query:

process.name:your_app AND (event.type:crash OR error.message:*segmentation*fault*)

📊 Metadata

CVE ID: CVE-2021-45716

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.md Exploit,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0128.html Exploit,Issue Tracking,Third Party Advisory
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.md Exploit,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0128.html Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45716, you might also want to check these: