Memory Corruption Affecting mio package, versions >=0.7.0 <0.7.6


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-MIO-1296839
  • published26 May 2021
  • disclosed2 Nov 2020
  • creditUnknown

Introduced: 2 Nov 2020

CVE-2020-35922  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

Upgrade mio to version 0.7.6 or higher.

Overview

mio is a lightweight non-blocking IO.

Affected versions of this package are vulnerable to Memory Corruption. It assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation.

CVSS Scores

version 3.1