CVE Vulnerabilities

CVE-2026-6654

Double Free

Published: Apr 20, 2026 | Modified: Jun 30, 2026
CVSS 3.x
5.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
7.3 IMPORTANT
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Double-Free / Use-After-Free (UAF) in the IntoIter::drop and ThinVec::clear functions in the thin_vec crate. A panic in ptr::drop_in_place skips setting the length to zero.

Weakness

The product calls free() twice on the same memory address.

Affected Software

NameVendorStart VersionEnd Version
Thin-vecMozilla0.2.15 (including)0.2.15 (including)
Rust-thin-vecUbuntuquesting*

Potential Mitigations

References