CVE-2021-28037: Data race in internment
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61007%
CWE
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
internment | rust | < 0.4.2 | 0.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the unsafe Sync
trait implementation for Intern<T>
that lacks a T: Sync
bound. This allows Intern<T>
to be considered thread-safe even when containing non-Sync
types, violating Rust's thread safety guarantees. The GitHub
issue reproduction demonstrates this by creating a data race with Cell<T>
(which is !Sync
) stored in Intern<T>
. The fix in 0.4.2 added the T: Sync
bound to this implementation, confirming this was the root cause.