GHSA-xrv3-jmcp-374j: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was identified in the zerovec Rust package, tracked as GHSA-xrv3-jmcp-374j. The vulnerability affects versions >= 0.10.0, < 0.10.4 and < 0.9.7, and was published on July 8, 2024. The issue stems from incorrect usage of #[repr(packed)] attribute in the package's implementation (GitHub Advisory, RustSec Advisory).

The vulnerability arises from unsafe memory accesses made under the assumption that #[repr(packed)] has a guaranteed field order. However, the Rust specification does not provide this guarantee. With the introduction of Rust 1.80.0-beta, which began reordering fields of #[repr(packed)] structs, these assumptions led to illegal memory accesses. The vulnerability has been assigned a CVSS v4 score of 6.9 (Moderate), with attack vectors being local and requiring low complexity (GitHub Advisory).

The vulnerability primarily affects system integrity, as indicated by the CVSS metrics showing High impact on integrity while having no direct impact on confidentiality or availability. The issue can lead to memory corruption due to illegal memory accesses (GitHub Advisory, RustSec Advisory).

The vulnerability has been patched in versions 0.9.7 and 0.10.4. The fix involves using #[repr(C, packed)] instead of #[repr(packed)], which guarantees field order and prevents illegal memory accesses. Users are advised to upgrade to these patched versions (GitHub Advisory, RustSec Advisory).