CVE-2024-43806: 
Rust vulnerability analysis and mitigation

Rustix, a set of safe Rust bindings to POSIX-ish APIs, contains a vulnerability (CVE-2024-43806) in its rustix::fs::Dir implementation when using the linux_raw backend. The vulnerability was discovered in August 2024 and affects versions prior to 0.35.15, 0.36.16, 0.37.25, and 0.38.19 (GitHub Advisory).

The vulnerability stems from two combined issues in the rustix::fs::Dir implementation: First, the iterator can fail to halt after encountering an IO error, causing the caller to be stuck in an infinite loop. Second, Dir::read_more incorrectly grows the read buffer unconditionally each time it is called, regardless of necessity. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, this vulnerability can cause quick and unbounded memory explosion, potentially consuming gigabytes of memory within seconds if used on a hot path. This ultimately leads to an Out of Memory (OOM) crash of the application. The issue is particularly concerning when accessing Linux's virtual file systems (e.g., /proc, /sys) that contain directories that can spontaneously appear and disappear (GitHub Advisory).

The issue has been patched in versions 0.35.15, 0.36.16, 0.37.25, and 0.38.19. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).

The vulnerability was initially discovered and reported through the Bandwhich project's issue tracker, where users reported experiencing system crashes due to memory exhaustion. The investigation involved community collaboration, with contributors cyqsimon tracking the bug to rustix and konnorandrews identifying the specific problematic code (GitHub Issue).