CVE-2020-36470

Name of the Vulnerable Software and Affected Versions distrustor crate through 2020-12-17

Description The issue arises from the RingBuffer type in the distrustor crate, which does not properly limit the number of mutable references. This is due to the non-atomic manner in which RingBuffer retrieves mutable references from the DataProvider. As a result, multiple mutable references can be created, leading to undefined behavior from the aliased mutable references as well as data races. The RingBuffer also implements the Send and Sync traits for all types T, contributing to the problem.

Recommendations For versions of the distrustor crate through 2020-12-17, consider restricting the use of the RingBuffer type until a patch is available to prevent the creation of multiple mutable references. As a temporary workaround, avoid using the RingBuffer type in multithreaded environments to minimize the risk of data races and undefined behavior. At the moment, there is no information about a newer version that contains a fix for this vulnerability.