CVE-2020-35906

HIGH7.8EPSS 0.06%

futures_task::waker may cause a use-after-free if used on a type that isn't 'static

Published: 5/24/2022Modified: 11/8/2023

Also known as:GHSA-r93v-9p5q-vhpfRUSTSEC-2020-0060

Description

Affected versions of the crate did not properly implement a `'static` lifetime bound on the `waker` function. This resulted in a use-after-free if `Waker::wake()` is called after original data had been dropped. The flaw was corrected by adding `'static` lifetime bound to the data `waker` takes.

Affected packages (2)

crates.io/futures-task>= 0.2.1, < 0.3.6
crates.io/futures-task>= 0.2.2-0, < 0.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35906
PATCHhttps://crates.io/crates/futures-task
PATCHhttps://github.com/rust-lang/futures-rs
WEBhttps://github.com/rust-lang/futures-rs/pull/2206
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0060.html