{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6654", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-20T07:02:28.158Z", "datePublished": "2026-04-20T10:05:52.339Z", "dateUpdated": "2026-04-20T13:14:37.846Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-20T10:06:38.044Z"}, "title": "Use-After-Free and Double-Free in IntoIter::drop when element drop panics", "affected": [{"vendor": "Mozilla", "product": "thin-vec", "versions": [{"status": "unaffected", "version": "0.2.16", "lessThanOrEqual": "*", "versionType": "rpm"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "references": [{"url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "credits": [{"lang": "en", "value": "Juhyung Son", "type": "finder"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-415", "lang": "en", "description": "CWE-415 Double Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T13:14:05.808412Z", "id": "CVE-2026-6654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:14:37.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:14:05.808412Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "CWE-415 Double Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:14:31.022Z"}}], "cna": {"title": "Use-After-Free and Double-Free in IntoIter::drop when element drop panics", "credits": [{"lang": "en", "type": "finder", "value": "Juhyung Son"}], "affected": [{"vendor": "Mozilla", "product": "thin-vec", "versions": [{"status": "unaffected", "version": "0.2.16", "versionType": "rpm", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-20T10:06:38.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6654", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:14:37.846Z", "dateReserved": "2026-04-20T07:02:28.158Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-20T10:05:52.339Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thin-vec:0.2.15:*:*:*:*:rust:*:*", "matchCriteriaId": "CABF3FE5-A5CB-491C-A9B3-D1D63D157AB0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "id": "CVE-2026-6654", "lastModified": "2026-05-12T15:19:28.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T11:16:19.937", "references": [{"source": "security@mozilla.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "thin-vec: mozilla/thin-vec: Memory corruption vulnerability via Double-Free/Use-After-Free", "id": "2459689", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459689"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-1341", "details": ["A flaw was found in the `thin_vec` component of `mozilla/thin-vec`. This vulnerability involves a memory management error known as a Double-Free/Use-After-Free (UAF), which occurs in the `IntoIter::drop` and `ThinVec::clear` functions. When a specific error condition (a panic in `ptr::drop_in_place`) is triggered, the system fails to correctly manage memory, potentially allowing an attacker to execute malicious code or cause the application to crash, leading to a denial of service."], "name": "CVE-2026-6654", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "rust-toolset:rhel8/rust", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruff", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-04-20T10:05:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6654\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6654\nhttps://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"], "statement": "This vulnerability affects version 0.2.15 of thin-vec, which is not included in any Red Hat products.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0.2.16,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "thin-vec", "source": "cna", "vendor": "Mozilla"}, "product": "thin-vec", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T07:17:05.354865+00:00", "value": {"mitigation_remediation": ["Upgrade the thin-vec crate to the latest release once a patch is available.", "Add a defensive check that resets the vector length to zero before dropping elements, or replace the drop implementation with custom logic to avoid double free when panics occur.", "Enable runtime memory checking (e.g., address sanitizer or other tools) to detect double free or use\u2011after\u2011free incidents during development and testing."], "summary": {"action": "Update library", "impact": "Memory Corruption (UAF/Dereference)"}, "threat_synthesis": {"affected_systems": "Mozilla thin-vec \u2013 all versions prior to the patch are affected; no specific version information is provided in the advisory.", "description_and_impact": "The thin_vec crate contains an internal data structure ThinVec with IntoIter::drop and ThinVec::clear. If an element\u2019s drop function panics while iterating or clearing, the drop logic fails to set the length to zero, leaving a dangling pointer. This leads to a double free or use\u2011after\u2011free vulnerability (CWE\u2011415 and CWE\u2011416). The resulting memory corruption can cause program crashes or other unintended behavior.", "risk_and_exploitability": "The CVSS score is 5.1, and the EPSS score is less than 1%, indicating a low exploitation probability. The CVE is not listed in the CISA KEV catalog. The risk cannot be fully evaluated until a fix is released."}}}}, "created": "2026-04-20T12:00:05.959374+00:00", "updated": "2026-04-22T07:30:11.610808+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$thin-vec"]}