GHSA-qqmc-hwqp-8g2w: 
Rust vulnerability analysis and mitigation

The lru crate, a Rust package, was found to contain a use-after-free vulnerability affecting versions prior to 0.7.1. The vulnerability was discovered on December 10, 2021, and officially reported on December 21, 2021. The issue was identified in the LruCache implementation, specifically in its iterator functions (GitHub Advisory, RustSec Advisory).

The vulnerability exists in two iterator functions of the LruCache implementation: iter() and iter_mut(). These functions provide references to keys and values in the cache. The issue occurs when specific functions like pop() are called during iteration, which removes and frees the value while references to it still exist. This leads to a use-after-free condition where the code attempts to access already freed memory (LRU Issue).

When exploited, this vulnerability can lead to memory corruption and potential program crashes due to segmentation faults. The issue is particularly dangerous as it can result in undefined behavior and potential security implications in systems using the affected versions of the lru crate (RustSec Advisory).

The vulnerability has been patched in version 0.7.1 of the lru crate. Users are strongly advised to upgrade to this version or later to address the use-after-free vulnerability. No alternative workarounds were provided for users who cannot immediately upgrade (GitHub Advisory).