PT-2020-17617 · Rust · Tiny Future

Published

2020-12-08

Updated

2021-08-25

CVE-2020-36438

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions tiny future versions prior to 0.4.0

Description The issue is related to the tiny future crate, which contains a light-weight implementation of Futures. The Future type lacks bounds on its Send and Sync traits, allowing non-thread safe types such as Cell to be used in Futures and cause data races in concurrent programs.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 or later, which includes the correction of the flaw by adding trait bounds to Future's Send and Sync in commit c791919. As a temporary workaround, consider avoiding the use of non-thread safe types such as Cell in Futures to minimize the risk of data races in concurrent programs.

Fix

Race Condition

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-119

Related Identifiers

CVE-2020-36438

GHSA-FG42-VWXX-XX5J

GHSA-M296-J53X-XV95

RUSTSEC-2020-0118

Affected Products

Tiny Future

PT-2020-17617 · Rust · Tiny Future

CVE-2020-36438

Weakness Enumeration

Related Identifiers

Affected Products

References · 14