CVE-2026-6654

Summary

Double-Free / Use-After-Free (UAF) in the IntoIter::drop and ThinVec::clear functions in the thin_vec crate. A panic in ptr::drop_in_place skips setting the length to zero.

Affected Software

VendorProductVersion RangeStatus
Mozillathin-vec0.2.16 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

thin-vec: mozilla/thin-vec: Memory corruption vulnerability via Double-Free/Use-After-Free

Additional References

References