CVE-2026-6654: Use-After-Free and Double-Free in IntoIter::drop when element drop panics
Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.
Security readout for executives and security teams
Plain-English summary
CVE-2026-6654 affects Mozilla's Rust thin-vec crate version 0.2.16. Under specific panic conditions, memory may be freed twice or used after being freed. This can crash software and may affect confidentiality or integrity. The source bundle does not show active exploitation or a named fixed version.
Executive priority
Treat as a high-priority dependency review, not an emergency internet-wide incident. Focus on systems using thin-vec 0.2.16, especially critical services where a local crash or memory safety failure has business impact.
Technical view
The issue is a double-free/use-after-free in `IntoIter::drop` and `ThinVec::clear`. If `ptr::drop_in_place` panics, length may not be reset to zero, allowing unsafe cleanup behavior. CVSS 3.1 is 7.3 high with local attack vector and high availability impact.
Likely exposure
Exposure is most likely in Rust applications or downstream packages that directly or transitively include thin-vec 0.2.16. Internet exposure is not established by the sources; the CVSS vector indicates local exploitation.
Exploitation context
No cited source or KEV entry indicates active exploitation. Practical risk depends on whether an application can reach the affected drop or clear paths and trigger a panic during element destruction.
Researcher notes
Evidence is limited to the provided advisory metadata and Red Hat references. The bundle names affected version 0.2.16 and the memory-safety mechanism, but does not provide exploit evidence, broad product impact, or a fixed version.
Mitigation direction
Inventory direct and transitive use of thin-vec 0.2.16.
Check the GitHub advisory for vendor remediation guidance.
Monitor Red Hat CVE and VEX pages for downstream status.
Update when a vendor-confirmed fixed version is available.
Prioritize software where crashes create operational or safety impact.
Validation and detection
Search dependency manifests, lockfiles, and SBOMs for thin-vec 0.2.16.
Identify products embedding Rust components that use thin-vec.
Review whether affected cleanup paths are reachable in your code.
Check Red Hat VEX data for affected downstream packages.
Document compensating controls if immediate update guidance is unavailable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1341: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1341 · source CWE mapping
Multiple Releases of Same Resource or Handle
Multiple Releases of Same Resource or Handle represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.