Reported

December 8, 2020

Issued

December 9, 2020 (last modified: June 13, 2023)

Package

thex (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency

Aliases

• CVE-2020-35927
• GHSA-j42v-6wpm-r847

CVSS Score

5.5 MEDIUM

CVSS Details

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

no patched versions

Description

thex::Thex<T> implements Sync for all types T. However, it is missing a bound for T: Send.

This allows non-Send types such as Rc to be sent across thread boundaries which can trigger undefined behavior and memory corruption.

Advisory available under CC0-1.0 license.