Reported

December 8, 2020

Issued

December 9, 2020 (last modified: June 13, 2023)

Package

thex (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency

Aliases

• CVE-2020-35927
• GHSA-j42v-6wpm-r847

CVSS Score

5.5 MEDIUM

CVSS Details

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

no patched versions

Description

thex::Thex<T> implements Sync for all types T. However, it is missing a bound for T: Send.

This allows non-Send types such as Rc to be sent across thread boundaries which can trigger undefined behavior and memory corruption.

Advisory available under CC0-1.0 license.