CVE-2020-35899

Name of the Vulnerable Software and Affected Versions actix-service crate versions prior to 1.0.6

Description The issue arises from a custom implementation of a Cell primitive in the affected versions of the actix-service crate, which fails to track mutable references to the underlying data. This flaw allows obtaining multiple mutable references to the same object, potentially resulting in arbitrary memory corruption, most likely use-after-free. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 1.0.6, update to version 1.0.6 or later, which corrects the flaw by switching from a bespoke Cell<T> implementation to Rc<RefCell<T>>.