GHSA-xg8p-34w2-j49j
HIGHlinked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
linked_list_allocatorReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability impacts all the initialization functions on the Heap and LockedHeap types, including Heap::new, Heap::init, Heap::init_from_slice, and LockedHeap::new. It also affects multiple uses of the Heap::extend method.
Initialization Functions
The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 * size_of::<usize> because of metadata write operations.
Heap::extend
This vulnerability impacts three specific uses of the Heap::extend method:
- When calling
Heap::extendwith a size smaller than twousizes (e.g., 16 onx86_64), the size was erroneously rounded up to the minimum size, which could result in an out-of-bounds write. - Calling
Heap::extendon an empty heap tried to construct a heap starting at address 0, which is also an out-of-bounds write.- One specific way to trigger this accidentally is to call
Heap::new(or a similar constructor) with a heap size that is smaller than twousizes. This was treated as an empty heap as well.
- One specific way to trigger this accidentally is to call
- Calling
Heap::extendon a heap whose size is not a multiple of the size of twousizes resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).
Patches
Has the problem been patched? What versions should users upgrade to?
We published a patch in version 0.10.2 and recommend all users to upgrade to it. This patch release includes the following changes:
- The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between
2 * size_of::<usize>and3 * size_of::<usize>. - The
extendmethod now panics when trying to extend an unitialized heap. - Extend calls with a size smaller than
size_of::<usize>() * 2are now buffered internally and not added to the list directly. The buffered region will be merged with futureextendcalls. - The
size()method now returns the usable size of the heap, which might be slightly smaller than thetop() - bottom()difference because of alignment constraints.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
To avoid this issue, ensure that the heap is only initialized with a size larger than 3 * size_of::<usize> and that the Heap::extend method is only called with sizes larger than 2 * size_of::<usize>(). Also, ensure that the total heap size is (and stays) a multiple of 2 * size_of::<usize>().
For more information
If you have any questions or comments about this advisory:
- Open an issue in this repository
- Email @phil-opp at [email protected]
Acknowledgements
This issue was responsibly reported by Evan Richter at ForAllSecure and found with Mayhem and cargo fuzz.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | linked_list_allocator | all versions | 0.10.2 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for linked_list_allocator. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update linked_list_allocator to 0.10.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xg8p-34w2-j49j is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xg8p-34w2-j49j is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xg8p-34w2-j49j. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xg8p-34w2-j49j in your dependencies?
O3 detects GHSA-xg8p-34w2-j49j across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.