CVE-2021-45716: 
Rust vulnerability analysis and mitigation

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. The vulnerability involves a use-after-free condition in the create_collation function, which could allow access to objects on the stack after they have been dropped. This vulnerability was discovered on December 7, 2021, and affects multiple functions in the rusqlite library that register callbacks to be invoked by SQLite (RustSec Advisory, NVD).

The vulnerability stems from incorrect lifetime bounds on closure-accepting functions in rusqlite. The lifetime bound was too relaxed, particularly affecting functions that register callbacks for later invocation by SQLite. The issue has a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-416 (Use After Free) and affects multiple functions under different feature flags including functions, hooks, and collation features (NVD).

If exploited, this vulnerability could allow Rust code to access objects on the stack after they have been dropped when a closure referencing borrowed values on the stack is passed to one of the affected functions. This could lead to memory corruption and potential security implications in applications using the affected versions of rusqlite (RustSec Advisory).

The vulnerability has been patched in versions 0.26.2 and newer, with a backport to version 0.25.4. Users are advised to upgrade to these patched versions. Since the vulnerability does not exist in versions prior to 0.25.0, all affected versions have an upgrade path to a semver-compatible release (RustSec Advisory).