CVE-2021-28037

CRITICAL9.8EPSS 0.43%

Intern<T>: Data race allowed on T

Published: 8/25/2021Modified: 11/8/2023

Description

Affected versions of this crate unconditionally implements `Sync` for `Intern<T>`. This allows users to create data race on `T: !Sync`, which may lead to undefined behavior (for example, memory corruption). The flaw was corrected in commit 2928a87 by adding the trait bound `T: Sync` in the `Sync` impl of `Intern<T>`.

Affected packages (2)

crates.io/internmentfrom 0, < 0.4.2
crates.io/internment>= 0.0.0-0, < 0.4.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-28037
PATCHhttps://crates.io/crates/internment
PATCHhttps://github.com/droundy/internment
WEBhttps://github.com/droundy/internment/issues/20
WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0036.html