CVE-2020-36461

Name of the Vulnerable Software and Affected Versions noise search crate versions through 2020-12-10

Description The issue concerns the unconditional implementation of Send and Sync for MvccRwLock in the noise search crate. This can lead to data races when types that are either !Send or !Sync (e.g., Rc<T>, Arc<Cell< >>) are contained inside MvccRwLock and sent across thread boundaries, potentially resulting in memory corruption. Additionally, the safe APIs of MvccRwLock allow aliasing violations by permitting &T and LockResult<MutexGuard<Box<T>>> to co-exist in conflicting lifetime regions.

Recommendations As a temporary workaround, consider restricting the use of MvccRwLock to prevent sending types that are either !Send or !Sync across thread boundaries until a patch is available. Avoid using the MvccRwLock APIs that allow aliasing violations, such as co-existing &T and LockResult<MutexGuard<Box<T>>> in conflicting lifetime regions, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.