CVE-2020-35879: Data races in rulinalg

August 25, 2021 (updated June 13, 2023)

The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::raw_slice and RowMut::raw_slice_mut. They do not conform with Rust’s borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation result and data race if both references are used at the same time.

References

github.com/AtheMathmo/rulinalg
github.com/AtheMathmo/rulinalg/issues/201
github.com/advisories/GHSA-q2gj-9r85-p832
nvd.nist.gov/vuln/detail/CVE-2020-35879
rustsec.org/advisories/RUSTSEC-2020-0023.html

Detect and mitigate CVE-2020-35879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →