CVE-2020-35915: Data races in futures-intrusive
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.16858%
CWE
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
futures-intrusive | rust | < 0.4.0 | 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper Sync trait implementation on GenericMutexGuard. The original implementation only required T: Send for Sync, but should have required T: Send + Sync to prevent cross-thread sharing of guarded data that isn't thread-safe. This allowed sending Sync-marked guards containing non-Sync types like Cell to different threads, enabling data races through safe code as demonstrated in the PoC. The trait implementation itself (not a specific function) was the vulnerable component, but we represent it as the Sync trait impl in the structure's definition.