CVE-2020-35906

HIGH7.8EPSS 0.06%

futures_task::waker may cause a use-after-free if used on a type that isn't 'static

發布日:2022/5/24修改日:2025/10/30

描述

Affected versions of the crate did not properly implement a 'static lifetime bound on the waker function. This resulted in a use-after-free if Waker::wake() is called after original data had been dropped. The flaw was corrected by adding 'static lifetime bound to the data waker takes.

受影響套件(2)

crates.io/futures-task>= 0.2.1, < 0.3.6
crates.io/futures-task>= 0.2.2-0, < 0.3.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35906
PATCHhttps://crates.io/crates/futures-task
PATCHhttps://github.com/rust-lang/futures-rs
WEBhttps://github.com/rust-lang/futures-rs/pull/2206
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0060.html