GHSA-qq4c-hm99-979m: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-qq4c-hm99-979m) affects the id-map Rust crate versions 0.1.6 through 0.2.1, discovered and disclosed in August 2025. The issue lies in the constructor idmap::IdMap::fromiter, which can create ill-formed objects where the amount of initialized memory is less than expected by the IdMap fields (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a flaw in the IdMap::from_iter constructor where the ids field is initialized based on the capacity of the values vector, rather than its actual length. When the vector's length is smaller than its capacity, the destructor incorrectly assumes values contains ids.len() == values.capacity() initialized elements. This mismatch leads to the destructor attempting to iterate over and drop uninitialized memory (GitHub Issue). The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Moderate) with the vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability results in undefined behavior and potential segmentation faults due to the dereferencing and attempted freeing of uninitialized memory. The issue primarily affects the availability of systems using the vulnerable versions of the id-map crate (RustSec Advisory).

The vulnerability has been patched in version 0.2.2 of the id-map crate, where all unsafe code was removed. The maintainer recommends using alternative crates such as slab or slotmap as better-optimized alternatives (GitHub Advisory, RustSec Advisory).