GHSA-vp6r-mrq9-8f4h

Suggest an improvement
Source
https://github.com/advisories/GHSA-vp6r-mrq9-8f4h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vp6r-mrq9-8f4h/GHSA-vp6r-mrq9-8f4h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vp6r-mrq9-8f4h
Aliases
Published
2021-08-25T20:58:11Z
Modified
2023-11-08T04:03:46.319786Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Data race in syncpool
Details

Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell<T> or Rc<T> are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit 15b2828 by adding a T: Send bound to the Send impl of Bucket2<T>.

Database specific
{
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "cwe_ids": [
        "CWE-362",
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:18:30Z"
}
References

Affected packages

crates.io / syncpool

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.6