CVE-2020-36434

Name of the Vulnerable Software and Affected Versions sys-info versions prior to 0.8.0

Description An issue was discovered in the sys-info crate that can trigger a double free when calling sys info::disk info. The affected versions of sys-info use a static, global list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single-threaded environment and will try to free the same memory twice in a multithreaded environment, resulting in consistent double-frees and segfaults when calling sys info::disk info from multiple threads at once.

Recommendations For versions prior to 0.8.0, update to version 0.8.0 or later to resolve the issue. As a temporary workaround, consider avoiding calls to sys info::disk info from multiple threads at once until a patch is available. Restrict access to the DFCleanup function to minimize the risk of exploitation. Avoid using the sys info::disk info function in multithreaded environments until the issue is resolved.