CVE-2020-35905

Name of the Vulnerable Software and Affected Versions futures-util crate versions prior to 0.3.7

Description An issue in the futures-util crate can cause a data race for certain closure situations in safe code. The affected versions had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could have led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.

Recommendations For versions prior to 0.3.7, update to version 0.3.7 or later to fix the issue by correcting the Send and Sync implementations and adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type.