CVE-2020-35876

Name of the Vulnerable Software and Affected Versions rio crate versions through 2020-05-11

Description The issue allows attackers to obtain sensitive information, cause a use-after-free, or cause a data race by leaking a struct. Specifically, when a rio::Completion is leaked, its drop code will not run, which is responsible for waiting until the kernel completes the I/O operation into, or out of, the buffer borrowed by rio::Completion. Leaking the struct will allow one to access and/or drop the buffer, leading to potential security issues. The upstream is not interested in fixing the issue.

Recommendations For versions through 2020-05-11, consider implementing custom memory management to prevent the leaking of the rio::Completion struct as a temporary workaround. Restrict access to the buffer borrowed by rio::Completion to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.