Reported

December 8, 2020

Issued

January 24, 2021 (last modified: June 13, 2023)

Package

tiny_future (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency

Aliases

• CVE-2020-36438
• GHSA-fg42-vwxx-xx5j
• GHSA-m296-j53x-xv95

References

• https://github.com/KizzyCode/tiny_future/issues/1

CVSS Score

8.1 HIGH

CVSS Details

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.4.0

Description

tiny_future contains a light-weight implementation of Futures. The Future type it has lacked bound on its Send and Sync traits.

This allows for a bug where non-thread safe types such as Cell can be used in Futures and cause data races in concurrent programs.

The flaw was corrected in commit c791919 by adding trait bounds to Future's Send and Sync.

Advisory available under CC0-1.0 license.