Reported

January 24, 2020

Issued

October 31, 2020 (last modified: June 13, 2023)

Package

futures-util (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency #memory-corruption #memory-management

Aliases

• CVE-2020-35908
• GHSA-5r9g-j7jj-hw6c

References

• https://github.com/rust-lang/futures-rs/issues/2050

CVSS Score

5.5 MEDIUM

CVSS Details

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.3.2

Unaffected

• <0.3.0

Affected Functions

Version

futures_util::stream::FuturesUnordered

• >=0.3.0

Description

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely.

This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization.

The issue was fixed by adding access synchronization code around insertion of tasks into the list.

Advisory available under CC0-1.0 license.