{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6654", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-20T07:02:28.158Z", "datePublished": "2026-04-20T10:05:52.339Z", "dateUpdated": "2026-04-20T13:14:37.846Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-20T10:06:38.044Z"}, "title": "Use-After-Free and Double-Free in IntoIter::drop when element drop panics", "affected": [{"vendor": "Mozilla", "product": "thin-vec", "versions": [{"status": "unaffected", "version": "0.2.16", "lessThanOrEqual": "*", "versionType": "rpm"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "references": [{"url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "credits": [{"lang": "en", "value": "Juhyung Son", "type": "finder"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-415", "lang": "en", "description": "CWE-415 Double Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T13:14:05.808412Z", "id": "CVE-2026-6654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:14:37.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:14:05.808412Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "CWE-415 Double Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:14:31.022Z"}}], "cna": {"title": "Use-After-Free and Double-Free in IntoIter::drop when element drop panics", "credits": [{"lang": "en", "type": "finder", "value": "Juhyung Son"}], "affected": [{"vendor": "Mozilla", "product": "thin-vec", "versions": [{"status": "unaffected", "version": "0.2.16", "versionType": "rpm", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-20T10:06:38.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6654", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:14:37.846Z", "dateReserved": "2026-04-20T07:02:28.158Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-20T10:05:52.339Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero."}], "id": "CVE-2026-6654", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T11:16:19.937", "references": [{"source": "security@mozilla.org", "url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0.2.16,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "thin-vec", "source": "cna", "vendor": "Mozilla"}, "product": "thin-vec", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-20T15:25:12.666430+00:00", "value": {"mitigation_remediation": ["Upgrade the thin-vec crate to the latest release once a patch is available.", "Add a defensive check that resets the vector length to zero before dropping elements, or replace the drop implementation with custom logic to avoid double free when panics occur.", "Enable runtime memory checking (e.g., address sanitizer or other tools) to detect double free or use\u2011after\u2011free incidents during development and testing."], "summary": {"action": "Update library", "impact": "Memory Corruption (UAF/Dereference)"}, "threat_synthesis": {"affected_systems": "Mozilla thin-vec \u2013 all versions prior to the patch are affected; no specific version information is provided in the advisory.", "description_and_impact": "The thin_vec crate contains an internal data structure ThinVec with IntoIter::drop and ThinVec::clear. If an element\u2019s drop function panics while iterating or clearing, the drop logic fails to set the length to zero, leaving a dangling pointer. This leads to a double free or use\u2011after\u2011free vulnerability (CWE\u2011415 and CWE\u2011416). The resulting memory corruption can cause program crashes or other unintended behavior.", "risk_and_exploitability": "The CVSS score is 5.1, and the EPSS score is less than 1%, indicating a low exploitation probability. The CVE is not listed in the CISA KEV catalog. The risk cannot be fully evaluated until a fix is released."}}}}, "created": "2026-04-20T12:00:05.959374+00:00", "updated": "2026-04-20T15:30:06.169068+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$thin-vec"], "weaknesses": ["CWE-415", "CWE-416"]}