GHSA-r88h-6987-g79f – syncpool

Package

Manager: cargo
Name: syncpool
Vulnerable Version: >=0 <0.1.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Data races on syncpool Affected versions of this crate unconditionally implements `Send` for `Bucket2`. This allows sending non-Send types to other threads. This can lead to data races when non Send types like `Cell<T>` or `Rc<T>` are contained inside `Bucket2` and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit `15b2828` by adding a `T: Send` bound to the `Send` impl of `Bucket2<T>`.

Metadata

Created: 2021-08-25T21:00:28Z
Modified: 2023-06-13T21:54:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-r88h-6987-g79f/GHSA-r88h-6987-g79f.json
CWE IDs: ["CWE-362"]
Alternative ID: N/A
Finding: F124
Auto approve: 1