CVE-2026-42199 Overview
CVE-2026-42199 is an integer overflow vulnerability in the grid crate, a data structure library for Rust. The flaw affects versions 0.17.0 through versions prior to 1.0.1. An integer overflow in the Grid::expand_rows() function corrupts the relationship between the grid's logical dimensions and its backing storage. Once the internal invariant breaks, calls to the safe get() API can invoke get_unchecked() with an invalid index, producing Undefined Behavior. The maintainer addressed the issue in version 1.0.1.
Critical Impact
Local attackers who can influence grid dimensions can trigger Undefined Behavior, leading to memory safety violations and application crashes in Rust programs depending on the grid crate.
Affected Products
- grid crate for Rust, versions 0.17.0 to before 1.0.1
- Rust applications and libraries depending on vulnerable versions of grid
- Downstream crates statically linking the affected versions
Discovery Timeline
- 2026-05-08 - CVE-2026-42199 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42199
Vulnerability Analysis
The grid crate provides a two-dimensional data structure backed by a single contiguous Vec. The library maintains an internal invariant that the product of rows and columns equals the length of the backing storage. The Grid::expand_rows() method extends the grid by adding new rows, computing the new total size through arithmetic on the row and column counts. When that arithmetic overflows a machine integer, the computed allocation size no longer matches the logical dimensions reported by the grid object. This vulnerability is classified under CWE-190: Integer Overflow or Wraparound.
Root Cause
The root cause is unchecked multiplication or addition inside expand_rows() when computing the new storage capacity. Rust release builds perform wrapping arithmetic by default on integer operations, so the overflow produces a smaller-than-expected value rather than panicking. The grid then records logical dimensions that exceed the actual backing buffer length. Subsequent calls to the safe get() accessor bypass bounds validation and delegate to get_unchecked(), which performs unchecked indexing into memory outside the allocated region.
Attack Vector
An attacker who controls grid dimensions passed to expand_rows() can trigger the overflow. Out-of-bounds reads via get() produce Undefined Behavior, which the Rust compiler may translate into crashes, memory corruption, or unpredictable execution. The attack requires local access to a process that accepts attacker-influenced row or column counts. Exploitation does not require authentication or user interaction, but the impact is limited to availability of the affected process.
No verified exploit code is publicly available. For technical specifics, refer to the GitHub Security Advisory GHSA-38c5-483c-4qqp and the fix commit.
Detection Methods for CVE-2026-42199
Indicators of Compromise
- Unexpected process termination or SIGSEGV signals in Rust applications using the grid crate
- Sanitizer reports (AddressSanitizer, MemorySanitizer) flagging out-of-bounds reads originating from Grid::get() call sites
- Cargo dependency manifests pinning grid to versions between 0.17.0 and 1.0.0 inclusive
Detection Strategies
- Run cargo audit against project lockfiles to flag vulnerable grid versions referenced by advisory GHSA-38c5-483c-4qqp
- Audit source code for calls to Grid::expand_rows() that accept externally supplied row counts without prior bounds checking
- Execute test suites under cargo +nightly miri or with AddressSanitizer enabled to surface Undefined Behavior triggered by overflowed dimensions
Monitoring Recommendations
- Monitor crash telemetry and core dumps for Rust services that consume the grid crate
- Track software composition analysis (SCA) alerts that reference RUSTSEC advisories tied to this CVE
- Review CI/CD pipeline logs for failed dependency security scans after enabling cargo deny policies
How to Mitigate CVE-2026-42199
Immediate Actions Required
- Upgrade the grid crate to version 1.0.1 or later in Cargo.toml and rebuild affected binaries
- Run cargo update -p grid to refresh the lockfile, then redeploy compiled artifacts
- Inventory all Rust services and tools that transitively depend on vulnerable grid versions through SCA tooling
Patch Information
The maintainer released the fix in grid v1.0.1. The corrective change is documented in commit be213bd3, which adds overflow-checked arithmetic to expand_rows() and preserves the invariant between logical dimensions and backing storage length. Consumers should pin to 1.0.1 or higher.
Workarounds
- Validate and cap row and column counts before invoking Grid::expand_rows() to prevent overflow in arithmetic
- Wrap calls to expand_rows() in checked arithmetic using usize::checked_mul and usize::checked_add on caller-supplied inputs
- Avoid exposing expand_rows() to untrusted input until the upgrade is deployed
# Update the grid crate to the patched version
cargo update -p grid --precise 1.0.1
# Verify no vulnerable versions remain
cargo tree -i grid
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
