Reported

April 7, 2021

Issued

September 18, 2021 (last modified: June 13, 2023)

Package

metrics-util (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2021-45704
• GHSA-3hxh-7jxm-59x4
• GHSA-cwvc-87xq-pc5m

References

• https://github.com/metrics-rs/metrics/issues/190

Patched

• >=0.7.0

Description

In the affected versions of the crate, AtomicBucket<T> unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner T: !Sync by using the AtomicBucket::data_with() API. Such data races can potentially cause memory corruption or other undefined behavior.

The flaw was fixed in commit 8e6daab by adding appropriate Send/Sync bounds to the Send/Sync impl of struct Block<T> (which is a data type contained inside AtomicBucket<T>).

Advisory available under CC0-1.0 license.