PT-2020-17644 · Rust · Syncpool

Published

2020-11-29

Updated

2021-08-25

CVE-2020-36462

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions syncpool crate versions prior to 0.1.6

Description An issue in the syncpool crate allows sending non-Send types to other threads, leading to data races when non-Send types like Cell<T> or Rc<T> are contained inside Bucket2 and sent across thread boundaries. This can potentially lead to memory corruption. The flaw was corrected by adding a T: Send bound to the Send impl of Bucket2<T>.

Recommendations For versions prior to 0.1.6, update to version 0.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of non-Send types like Cell<T> or Rc<T> inside Bucket2 to minimize the risk of data races and memory corruption.

Exploit

Fix

Command Injection

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-362

Related Identifiers

CVE-2020-36462

GHSA-R88H-6987-G79F

GHSA-VP6R-MRQ9-8F4H

RUSTSEC-2020-0142

Affected Products

Syncpool

PT-2020-17644 · Rust · Syncpool

CVE-2020-36462

Weakness Enumeration

Related Identifiers

Affected Products

References · 12