CVE-2020-35886

Name of the Vulnerable Software and Affected Versions arr crate versions through 2020-08-25

Description The issue allows an attacker to smuggle non-Sync/Send types across a thread boundary, causing a data race. Specifically, the arr crate incorrectly implements Sync/Send bounds. Additionally, the Index and IndexMut implementation does not check the array bound, and Array::new from template() drops uninitialized memory.

Recommendations For arr crate versions through 2020-08-25, consider disabling the use of Index and IndexMut implementations until a patch is available. Restrict the use of Array::new from template() to prevent dropping uninitialized memory. As a temporary workaround, avoid using the arr crate to smuggle non-Sync/Send types across thread boundaries. At the moment, there is no information about a newer version that contains a fix for this vulnerability.