CVE-2020-35915 – futures-intrusive

Package

Manager: cargo
Name: futures-intrusive
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16689

Details

Data races in futures-intrusive GenericMutexGuard<T> was given the Sync auto trait as long as T is Send due to its contained members. However, since the guard is supposed to represent an acquired lock and allows concurrent access to the underlying data from different threads, it should only be Sync when the underlying data is. This is a soundness issue and allows data races, potentially leading to crashes and segfaults from safe Rust code. The flaw was corrected by adding a T: Send + Sync bound for GenericMutexGuard's Sync trait.

Metadata

Created: 2021-08-25T20:49:58Z
Modified: 2023-06-13T18:10:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-4hjg-cx88-g9f9/GHSA-4hjg-cx88-g9f9.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-4hjg-cx88-g9f9
Finding: F124
Auto approve: 1