Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. async-coap
  4. ›
  5. CVE-2020-36444

CVE-2020-36444: Data races in async-coap

August 25, 2021

An issue was discovered in the async-coap crate through 2020-12-08 for Rust. Affected versions of this crate implement Send/Sync for ArcGuard<RC, T> with no trait bounds on RC. This allows users to send RC: !Send to other threads and also allows users to concurrently access Rc: !Sync from multiple threads.

This can result in memory corruption from data race or other undefined behavior caused by sending T: !Send to other threads (e.g. dropping MutexGuard<T> in another thread that didn’t lock its mutex).

References

  • github.com/advisories/GHSA-9j8q-m9x5-9g6j
  • github.com/google/rust-async-coap
  • github.com/google/rust-async-coap/issues/33
  • nvd.nist.gov/vuln/detail/CVE-2020-36444
  • raw.githubusercontent.com/rustsec/advisory-db/main/crates/async-coap/RUSTSEC-2020-0124.md
  • rustsec.org/advisories/RUSTSEC-2020-0124.html

Code Behaviors & Features

Detect and mitigate CVE-2020-36444 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions up to 0.1.0

Solution

Unfortunately, there is no solution available yet.

Impact 8.1 HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Source file

cargo/async-coap/CVE-2020-36444.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:49 +0000.