{"id":"CVE-2026-6654","summary":"Use-After-Free and Double-Free in IntoIter::drop when element drop panics","details":"Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.","aliases":["GHSA-xphw-cqx3-667j","RUSTSEC-2026-0103"],"modified":"2026-05-28T04:12:05.925942894Z","published":"2026-04-20T10:05:52.339Z","related":["CGA-955g-5fgm-8m9j"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6654.json","cna_assigner":"mozilla"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6654.json"},{"type":"ADVISORY","url":"https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6654"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mozilla/thin-vec","events":[{"introduced":"0"},{"last_affected":"70bcca0960a7e11056fa3281445d08052421dab5"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"0.2.15"}],"cpe":"cpe:2.3:a:mozilla:thin-vec:0.2.15:*:*:*:*:rust:*:*"}}],"versions":["v0.2.15","v0.2.13","v0.2.12","v0.2.11","v0.2.10","v0.2.9","v0.2.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-6654.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}