CVE-2021-45719: 
Rust vulnerability analysis and mitigation

The rusqlite crate versions 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust contains a use-after-free vulnerability. The issue stems from incorrect lifetime bounds on several closure-accepting functions that register callbacks to be invoked by SQLite. The vulnerability was discovered on December 7, 2021, and affects multiple functions under different feature configurations (RustSec Advisory, GitHub Issue).

The vulnerability affects several functions with relaxed lifetime bounds, including create_scalar_function, create_aggregate_function, create_window_function under the 'functions' feature; commit_hook, rollback_hook, and update_hook under the 'hooks' feature; and create_collation under the 'collation' feature. When a closure referencing borrowed values on the stack is passed to these functions, it could allow access to objects after they have been dropped. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to memory corruption through use-after-free conditions, potentially causing program crashes or undefined behavior when affected functions are used with closures that reference borrowed values on the stack (RustSec Advisory).

The vulnerability has been patched in versions 0.26.2 and newer, with a backport to version 0.25.4. Users are advised to upgrade to these patched versions. All affected versions have an upgrade path to a semver-compatible release (RustSec Advisory).