Reported

December 18, 2020

Issued

January 18, 2021 (last modified: June 13, 2023)

Package

rusb (crates.io)

Type

INFO Unsound

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency

Aliases

• CVE-2020-36206
• GHSA-9mxw-4856-9cm5

References

• https://github.com/a1ien/rusb/issues/44

CVSS Score

7 HIGH

CVSS Details

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.7.0

Description

Affected versions of rusb did not require UsbContext to implement Send and Sync. However, through Device and DeviceHandle it is possible to use UsbContexts across threads.

This issue allows non-thread safe UsbContext types to be used concurrently leading to data races and memory corruption.

The issue was fixed by adding Send and Sync bounds to UsbContext.

Advisory available under CC0-1.0 license.