CVE-2020-36206: Data races in rusb

August 25, 2021 (updated June 13, 2023)

Affected versions of rusb did not require UsbContext to implement Send and Sync. However, through Device and DeviceHandle it is possible to use UsbContexts across threads. This issue allows non-thread safe UsbContext types to be used concurrently leading to data races and memory corruption. The issue was fixed by adding Send and Sync bounds to UsbContext.

References

github.com/a1ien/rusb
github.com/a1ien/rusb/issues/44
github.com/advisories/GHSA-9mxw-4856-9cm5
nvd.nist.gov/vuln/detail/CVE-2020-36206
rustsec.org/advisories/RUSTSEC-2020-0098.html

Detect and mitigate CVE-2020-36206 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →