RUSTSEC-2024-0002: 
Rust vulnerability analysis and mitigation

RUSTSEC-2024-0002 is a vulnerability discovered in the vmm-sys-util crate for Rust, affecting versions 0.5.0 through 0.12.0. The issue lies in the FamStructWrapper::deserialize implementation, which lacks proper bound checks during deserialization. The vulnerability was disclosed on January 2, 2024, and impacts the memory safety of applications using this crate (GitHub Advisory).

The vulnerability stems from the FamStructWrapper::deserialize implementation not verifying that the length stored in the header matches the flexible array length during deserialization. This mismatch in lengths can potentially lead to out-of-bounds memory access through Rust-safe methods. The issue has been assigned a CVSS v3.1 base score of 5.7 (Moderate) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L, indicating local attack vector with low complexity and no required privileges (GitHub Advisory).

The vulnerability can result in out-of-bounds memory access, potentially leading to memory corruption or information disclosure. The EPSS score of 0.148% (52nd percentile) suggests a relatively low likelihood of exploitation within 30 days of disclosure (GitHub Advisory).

The vulnerability has been patched in version 0.12.0 of the vmm-sys-util crate. The fix includes implementing a check that verifies the lengths of compared flexible arrays are equal for any deserialized header and aborting deserialization if they don't match. Additionally, the API was modified so that header length can only be modified through Rust-unsafe code, preventing out-of-bounds memory access from Rust-safe code (GitHub Advisory).