GHSA-3632-54q8-m96x: 
Rust vulnerability analysis and mitigation

The arenavec Rust crate (version <= 0.1.1) contains multiple critical memory corruption vulnerabilities discovered in September 2025. These vulnerabilities exist in the crate's safe APIs and can lead to various memory safety issues including arbitrary memory access, heap buffer overflow, and double-free violations (GitHub Advisory, RustSec Advisory).

The vulnerabilities manifest in three main areas: 1) The arenavec::common::AllocHandle trait's methods (allocate and allocateorextend) return raw pointers without being marked as unsafe, allowing potential arbitrary memory access through safe APIs like SliceVec::push, 2) The SliceVec::reserve implementation can cause a mismatch between capacity and actual reserved memory due to incorrect behavior in allocateinner, leading to heap buffer overflow, and 3) The SliceVec::splitoff method can cause ownership duplication of elements implementing the Drop trait, resulting in double-free violations when at == 0 (GitHub Issue 4, GitHub Issue 5, GitHub Issue 6). The vulnerability has a CVSS v4 base score of 8.9 (High), with Network attack vector, Low attack complexity, and High impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerabilities can lead to severe memory corruption issues including arbitrary memory access, heap buffer overflows, and double-free violations. These issues can potentially result in program crashes, memory leaks, and security breaches in applications using the affected versions of the arenavec crate (GitHub Advisory, RustSec Advisory).

Currently, there are no patched versions available for these vulnerabilities. Users of the arenavec crate should consider using alternative implementations or implementing their own safe versions of the affected functionality (RustSec Advisory).