CVE-2020-35927

Name of the Vulnerable Software and Affected Versions thex crate through 2020-12-08

Description An issue in the thex crate allows cross-thread data races of non-Send types. Specifically, thex::Thex<T> implements Sync for all types T, but it is missing a bound for T: Send. This allows non-Send types, such as Rc, to be sent across thread boundaries, which can trigger undefined behavior and memory corruption.

Recommendations For thex crate through 2020-12-08, consider restricting the use of thex::Thex<T> to only Send types to minimize the risk of exploitation. As a temporary workaround, avoid using thex::Thex<T> with non-Send types such as Rc until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.