Out-of-bounds Read Affecting xmas-elf package, versions <0.10.0

Q: How to fix?

Upgrade xmas-elf to version 0.10.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-XMASELF-9689911
published14 Apr 2025
disclosed26 Mar 2025
creditDONGYEON YU

Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2025

NewCWE-125 (opens in a new tab)

How to fix?

Upgrade xmas-elf to version 0.10.0 or higher.

Overview

xmas-elf is a library for parsing and navigating ELF data; zero-allocation, type-safe.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper validation of the index argument against the bucket_count and chain_count fields in the context of the ELF section size. An attacker can trigger out-of-bounds reads by manipulating these fields to exceed the bounds of the hash table section, coupled with out-of-bounds hash table indexes in the ELF file.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None