CVE-2020-36450

Name of the Vulnerable Software and Affected Versions bunch crate versions through 2020-11-12

Description The issue concerns unconditional implementations of Send and Sync for Bunch<T>. This allows users to insert T: !Sync to Bunch<T>, potentially creating a data race by invoking the Bunch::get() API from multiple threads. It is also possible to send T: !Send to other threads by inserting T inside Bunch<T> and sending Bunch<T> to another thread, allowing to create a data race by inserting types like T = Rc< >. Such data races can lead to memory corruption.

Recommendations As a temporary workaround, consider restricting the use of the Bunch<T> crate until a patch is available. Avoid using the Bunch::get() API from multiple threads to minimize the risk of exploitation. Restrict access to the Bunch<T> crate to minimize the risk of exploitation.