CVE-2022-36086

CVE-2022-36086 is a high-severity security vulnerability in linked_list_allocator (rust), affecting versions <= 0.10.1. It is fixed in 0.10.2.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

linkedlistallocator vulnerable to out-of-bound writes on Heap initialization and Heap::extend

Initialization Functions

The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 * size_of::<usize> because of metadata write operations.

Heap::extend

This vulnerability impacts three specific uses of the Heap::extend method:

  • When calling Heap::extend with a size smaller than two usizes (e.g., 16 on x86_64), the size was erroneously rounded up to the minimum size, which could result in an out-of-bounds write.
  • Calling Heap::extend on an empty heap tried to construct a heap starting at address 0, which is also an out-of-bounds write.
    • One specific way to trigger this accidentally is to call Heap::new (or a similar constructor) with a heap size that is smaller than two usizes. This was treated as an empty heap as well.
  • Calling Heap::extend on a heap whose size is not a multiple of the size of two usizes resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To avoid this issue, ensure that the heap is only initialized with a size larger than 3 * size_of::<usize> and that the Heap::extend method is only called with sizes larger than 2 * size_of::<usize>(). Also, ensure that the total heap size is (and stays) a multiple of 2 * size_of::<usize>().

For more information

If you have any questions or comments about this advisory:

Acknowledgements

This issue was responsibly reported by Evan Richter at ForAllSecure and found with Mayhem and cargo fuzz.

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability impacts all the initialization functions on the Heap and LockedHeap types, including Heap::new, Heap::init, Heap::init_from_slice, and LockedHeap::new. It also affects multiple uses of the Heap::extend method.

CVE-2022-36086 has a CVSS score of 8.4 (High). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.10.2); upgrading removes the vulnerable code path.

Affected versions

linked_list_allocator (<= 0.10.1)

Security releases

linked_list_allocator → 0.10.2 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Has the problem been patched? What versions should users upgrade to?

We published a patch in version 0.10.2 and recommend all users to upgrade to it. This patch release includes the following changes:

  • The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between 2 * size_of::<usize> and 3 * size_of::<usize>.
  • The extend method now panics when trying to extend an unitialized heap.
  • Extend calls with a size smaller than size_of::<usize>() * 2 are now buffered internally and not added to the list directly. The buffered region will be merged with future extend calls.
  • The size() method now returns the usable size of the heap, which might be slightly smaller than the top() - bottom() difference because of alignment constraints.

Frequently Asked Questions

  1. What is CVE-2022-36086? CVE-2022-36086 is a high-severity security vulnerability in linked_list_allocator (rust), affecting versions <= 0.10.1. It is fixed in 0.10.2.
  2. How severe is CVE-2022-36086? CVE-2022-36086 has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of linked_list_allocator are affected by CVE-2022-36086? linked_list_allocator (rust) versions <= 0.10.1 is affected.
  4. Is there a fix for CVE-2022-36086? Yes. CVE-2022-36086 is fixed in 0.10.2. Upgrade to this version or later.
  5. Is CVE-2022-36086 exploitable, and should I be worried? Whether CVE-2022-36086 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-36086 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-36086? Upgrade linked_list_allocator to 0.10.2 or later.

Stop the waste.
Protect your environment with Kodem.