CVE-2020-35908

MEDIUM5.5EPSS 0.05%

Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption

Published: 5/24/2022Modified: 11/8/2023

Also known as:GHSA-5r9g-j7jj-hw6cRUSTSEC-2020-0062

Description

Affected versions of the crate had an unsound `Sync` implementation on the `FuturesUnordered` structure, which used a `Cell` for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely. This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization. The issue was fixed by adding access synchronization code around insertion of tasks into the list.

Affected packages (2)

crates.io/futures-util>= 0.3.0, < 0.3.2
crates.io/futures-util>= 0.3.0, < 0.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35908
PATCHhttps://crates.io/crates/futures-util
PATCHhttps://github.com/rust-lang/futures-rs
WEBhttps://github.com/rust-lang/futures-rs/issues/2050
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0062.html