Reported

November 10, 2020

Issued

January 20, 2021 (last modified: June 13, 2023)

Package

late-static (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-36209
• GHSA-wr55-mf5c-hhwm

References

• https://github.com/Richard-W/late-static/issues/1

CVSS Score

7 HIGH

CVSS Details

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.4.0

Description

Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell<T>).

This can result in a memory corruption or other kinds of undefined behavior.

The flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic<T>.

Advisory available under CC0-1.0 license.