DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-J8CJ-HW74-64JV: Critical Unsoundness in Rust 'hivex' Crate Leading to Double-Free and Use-After-Free

#security #cve #cybersecurity #ghsa

Critical Unsoundness in Rust 'hivex' Crate Leading to Double-Free and Use-After-Free

Vulnerability ID: GHSA-J8CJ-HW74-64JV
CVSS Score: 8.1
Published: 2026-02-28

A critical memory safety vulnerability exists in the hivex Rust crate (version 0.2.0), a binding for the Windows Registry hive extraction library. The vulnerability stems from incorrect implementation of the Drop trait and the exposure of raw handle creation APIs as safe functions.

These implementation flaws allow safe Rust code to trigger Double-Free (CWE-415) and Use-After-Free (CWE-416) conditions. Specifically, the close() method frees the underlying C resource without preventing the destructor from running, and the from_handle() function allows the creation of multiple owning references to the same underlying pointer. Successful exploitation results in undefined behavior, memory corruption, and potential arbitrary code execution.

TL;DR

The 'hivex' crate v0.2.0 contains critical unsoundness issues. Calling the public close() method causes a double-free when the object goes out of scope. Additionally, the from_handle API allows creating multiple owners for a single C-handle, leading to Use-After-Free. Update to version 0.2.1 immediately.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-J8CJ-HW74-64JV
  • CWE IDs: CWE-415 (Double Free), CWE-416 (Use After Free)
  • CVSS (Est.): 8.1 (High)
  • Platform: Rust / crates.io
  • Attack Vector: Local / Context Dependent
  • Patch Status: Fixed in v0.2.1

Affected Systems

  • Rust applications using hivex crate version 0.2.0
  • hivex: = 0.2.0 (Fixed in: 0.2.1)

Code Analysis

Commit: f4c7a0d

Fix unsoundness in hivex crate: prevent double-free in close() and mark from_handle as unsafe

@@ -123,7 +123,7 @@ impl Hive {
-    pub const fn from_handle(handle: *mut sys::hive_h) -> Hive {
+    pub unsafe fn from_handle(handle: *mut sys::hive_h) -> Hive {
@@ -134,6 +134,7 @@ impl Hive {
     pub fn close(self) -> std::io::Result<()> {
         let status = unsafe { sys::hivex_close(self.as_handle()) };
         let result = check_status_zero(status);
+        std::mem::forget(self);
         result
     }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Dependency Update
  • API Audit

Remediation Steps:

  1. Modify Cargo.toml to require the patched version of the crate.
  2. Run cargo update -p hivex to fetch version 0.2.1.
  3. Audit code for usages of Hive::from_handle. If found, wrap them in unsafe blocks and manually verify ownership semantics, as this function is now correctly marked unsafe.

References

Read the full report for GHSA-J8CJ-HW74-64JV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)