PatchSiren cyber security CVE debrief
CVE-2026-44983 servo CVE debrief
A heap buffer overflow vulnerability exists in the smallbitvec Rust crate, affecting versions 1.0.1 through 2.6.0. The root cause is an integer overflow in the internal capacity calculation, which leads to an undersized heap allocation. This vulnerability can be triggered through safe APIs without requiring unsafe code from the caller, enabling memory corruption. The CVSS 3.1 score of 7.3 (HIGH) reflects local attack vector with low attack complexity, no privileges required, no user interaction, and high availability impact. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound). A fix is available in version 2.6.1.
- Vendor
- servo
- Product
- smallbitvec
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running Rust applications that depend on smallbitvec for bit-vector operations, particularly those processing untrusted or variable-length data that could influence bit-vector sizing. Development teams using smallbitvec in security-sensitive contexts or with untrusted input should prioritize patching. Infrastructure teams managing Rust dependency caches and CI/CD pipelines should ensure version 2.6.1+ is enforced.
Technical summary
The smallbitvec crate, a growable bit-vector optimized for size, contains an integer overflow vulnerability in its internal capacity calculation (versions 1.0.1-2.6.0). When triggered, this overflow causes an undersized heap allocation, subsequently leading to a heap buffer overflow when the bit-vector is accessed. Notably, this vulnerability is exploitable through entirely safe Rust APIs—the caller does not need to use unsafe code. The integer overflow occurs during capacity computation, likely when handling large bit-vector sizes that cause arithmetic wraparound. The resulting heap buffer overflow can corrupt adjacent memory, potentially leading to denial of service (high availability impact in CVSS) or limited confidentiality/integrity impacts depending on heap layout and data structures.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade smallbitvec to version 2.6.1 or later
- Audit applications using smallbitvec versions 1.0.1 through 2.6.0 for potential memory corruption indicators
- Review dependency trees to identify transitive usage of vulnerable smallbitvec versions
- Monitor application logs for unexpected crashes or memory-related errors that could indicate exploitation attempts
- Consider implementing memory safety monitoring for Rust applications using bit-vector operations on untrusted input sizes
Evidence notes
Vulnerability disclosed via GitHub Security Advisory GHSA-97wc-2hqc-cjgr. Affected versions confirmed as 1.0.1 through 2.6.0. Fix version 2.6.1 confirmed. CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H yields score 7.3.
Official resources
-
CVE-2026-44983 CVE record
CVE.org
-
CVE-2026-44983 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26