Affected versions of this crate assumed that Borrow was guaranteed to return the same value on .borrow(). The borrowed index value was used to retrieve a mutable reference to a value.

If the Borrow implementation returned a different index, the split arena would allow retrieving the index as a mutable reference creating two mutable references to the same element. This violates Rust's aliasing rules and allows for memory safety issues such as writing out of bounds and use-after-frees.

The flaw was corrected in commit 6b83f9d by storing the .borrow() value in a temporary variable.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-28032
• bennetthardwick/nano-arena#1
• https://rustsec.org/advisories/RUSTSEC-2021-0031.html
• bennetthardwick/nano-arena@6b83f9d