CVE-2021-45714: 
Rust vulnerability analysis and mitigation

An issue was discovered in the rusqlite crate versions 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. The vulnerability involves a use-after-free condition in the createaggregatefunction functionality. The issue was discovered on December 7, 2021, and affects the core functionality of the SQLite database operations in Rust applications (RustSec Advisory, NVD).

The vulnerability stems from incorrect lifetime bounds on closure-accepting functions in rusqlite. The lifetime bound was too relaxed, particularly for functions that register callbacks to be invoked by SQLite later. When a closure referencing borrowed values on the stack is passed to these functions, it could allow Rust code to access objects on the stack after they have been dropped, leading to use-after-free conditions (RustSec Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to memory corruption through use-after-free conditions, potentially causing application crashes or undefined behavior. This affects applications using the rusqlite crate for SQLite database operations in Rust (RustSec Advisory).

The vulnerability has been patched in versions 0.26.2 and newer, with a backport to version 0.25.4. Users are advised to upgrade to these patched versions. Since the vulnerability doesn't exist in versions prior to 0.25.0, all affected versions have an upgrade path to a semver-compatible release (RustSec Advisory).