CVE-2020-35888

Name of the Vulnerable Software and Affected Versions arr crate through 2020-08-25

Description The issue concerns the arr crate, which contains multiple security issues. These include incorrect implementation of Sync/Send bounds, allowing non-Sync/Send types to be smuggled across thread boundaries. Additionally, the Index and IndexMut implementation does not check array bounds. The Array::new from template() function drops uninitialized memory.

Recommendations For arr crate through 2020-08-25, consider updating to a version released after 2020-08-25 to address the security issues. As a temporary workaround, consider restricting the use of the Array::new from template() function until a patch is available. Avoid using the Index and IndexMut implementations without manually checking array bounds to prevent potential errors. Restrict access to the arr crate's Sync/Send bounds implementation to minimize the risk of smuggling non-Sync/Send types across thread boundaries. At the moment, there is no information about a newer version that contains a fix for this vulnerability.