Reported

December 25, 2020

Issued

February 4, 2021 (last modified: June 13, 2023)

Package

multiqueue (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-36463
• GHSA-jf43-3v8j-qwwr
• GHSA-r2x6-vrxx-jgv4

References

• https://github.com/schets/multiqueue/issues/31

CVSS Score

8.1 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

Affected versions of this crate unconditionally implemented Send for types used in queue implementations (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>).

This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior.

Advisory available under CC0-1.0 license.