CVE-2020-35927: Data races in thex
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.16805%
CWE
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
thex | rust | <= 0.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability stems from the improper Sync trait implementation for Thex<T>. In Rust, Sync indicates a type can be safely shared between threads via references. However, the implementation lacked a T: Send
bound, violating Rust's safety guarantees. This allows Thex<T> to be marked as thread-safe (Sync) even when containing non-Send types like Rc, enabling cross-thread data races. The advisory explicitly identifies this missing bound as the root cause, making the Sync trait implementation the clear vulnerable component.