ThinVec Drop/ Clear DoubleFree & UAF Vulnerability in Mozilla ThinVec Crate
CVE-2026-6654 Published on April 20, 2026

Use-After-Free and Double-Free in IntoIter::drop when element drop panics
Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.

NVD

Vulnerability Analysis

CVE-2026-6654 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Types

What is a Double-free Vulnerability?

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

CVE-2026-6654 has been classified to as a Double-free vulnerability or weakness.

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2026-6654 has been classified to as a Dangling pointer vulnerability or weakness.


Affected Versions

Mozilla thin-vec: