CVE-2020-36447

Name of the Vulnerable Software and Affected Versions v9 crate through 2020-12-18

Description An issue was discovered in the v9 crate, where affected versions unconditionally implement Sync for SyncRef<T>. This definition allows data races if &T is accessible through &SyncRef. The SyncRef<T> derives Clone and Debug, and the default implementations of those traits access &T by invoking T::clone() and T::fmt(). It is possible to create data races and undefined behavior by concurrently invoking SyncRef<T>::clone() or SyncRef<T>::fmt() from multiple threads with T: !Sync.

Recommendations For v9 crate through 2020-12-18, as a temporary workaround, consider avoiding concurrent invocation of SyncRef<T>::clone() or SyncRef<T>::fmt() from multiple threads with T: !Sync until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.