CVE-2020-36214: Data races in multiqueue2

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate unconditionally implemented Send for types used in queue implementations (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>).

This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior.

The flaw was corrected in v0.1.7 by adding T: Send bound to to the Send impl of four data types explained above.

References

github.com/abbychau/multiqueue2
github.com/abbychau/multiqueue2/issues/10
github.com/advisories/GHSA-jphw-p3m6-pj3c
nvd.nist.gov/vuln/detail/CVE-2020-36214
rustsec.org/advisories/RUSTSEC-2020-0106.html

Detect and mitigate CVE-2020-36214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →