Miggo Logo

CVE-2020-35915: Data races in futures-intrusive

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.16858%
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
futures-intrusiverust< 0.4.00.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper Sync trait implementation on GenericMutexGuard. The original implementation only required T: Send for Sync, but should have required T: Send + Sync to prevent cross-thread sharing of guarded data that isn't thread-safe. This allowed sending Sync-marked guards containing non-Sync types like Cell to different threads, enabling data races through safe code as demonstrated in the PoC. The trait implementation itself (not a specific function) was the vulnerable component, but we represent it as the Sync trait impl in the structure's definition.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**n*ri*Mut*x*u*r*<T> w*s *iv*n t** Syn* *uto tr*it *s lon* *s T is S*n* *u* to its *ont*in** m*m**rs. *ow*v*r, sin** t** *u*r* is suppos** to r*pr*s*nt *n **quir** lo*k *n* *llows *on*urr*nt ****ss to t** un**rlyin* **t* *rom *i***r*nt t*r***s, it s*

Reasoning

T** vuln*r**ility st*ms *rom improp*r Syn* tr*it impl*m*nt*tion on **n*ri*Mut*x*u*r*. T** ori*in*l impl*m*nt*tion only r*quir** T: S*n* *or Syn*, *ut s*oul* **v* r*quir** T: S*n* + Syn* to pr*v*nt *ross-t*r*** s**rin* o* *u*r*** **t* t**t isn't t*r**