Skip to content

AtomicBucket<T> unconditionally implements Send/Sync

Moderate severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jan 12, 2023

Package

cargo metrics-util (Rust)

Affected versions

< 0.7.0

Patched versions

0.7.0

Description

In the affected versions of the crate, AtomicBucket<T> unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner
T: !Sync by using the AtomicBucket::data_with() API.
Such data races can potentially cause memory corruption or other undefined behavior.

The flaw was fixed in commit 8e6daab by adding appropriate Send/Sync bounds to the Send/Sync impl of struct Block<T> (which is a data type contained inside AtomicBucket<T>).

References

Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jan 12, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-3hxh-7jxm-59x4

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.