In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free. Reference: https://github.com/rust-lang/rust/issues/79808 Upstream patch: https://github.com/rust-lang/rust/pull/79814
Statement: VecDeque::make_contiguous is not considered stable is versions of rust prior to 1:48. As a result, it should not be used as shipped in Red Hat Enterprise Linux versions 8.3 and older.
FWIW, that fix was also beta-backported in time for the 1.49.0 release. https://github.com/rust-lang/rust/pull/79903
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1935 https://access.redhat.com/errata/RHSA-2021:1935
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36318
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:2243 https://access.redhat.com/errata/RHSA-2021:2243