CVE-2026-6654
Modified
Modified - Updated After Analysis
Double-Free and Use-After-Free in thin_vec Causes Panic
Vulnerability report for CVE-2026-6654, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-20
Last updated on: 2026-06-30
Assigner: Mozilla Corporation
Description
Description
Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | thin_vec | 0.2.15 |
| mozilla | thin_vec | 0.2.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-1341 | The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. |