CVE-2018-25026
Description
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can add the Send marker trait to an object that cannot be sent between threads safely, leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The actix-web crate before 0.7.15 for Rust incorrectly adds the Send marker trait to objects that are not thread-safe, leading to potential memory corruption in multithreaded contexts.
Vulnerability
An issue was discovered in the actix-web crate for Rust, a web framework. The vulnerability affects versions prior to 0.7.15. The crate unsoundly adds the Send marker trait to objects that are not safe to be sent between threads, causing undefined behavior and potential memory corruption [1][3].
Exploitation
An attacker needs to send a crafted object that is incorrectly treated as Send across thread boundaries within the actix-web runtime. This is possible when the framework uses multithreaded execution (default configuration) and processes requests that involve such objects. The attacker can exploit this by providing input that triggers the use of the vulnerable API, leading to concurrent access to non-thread-safe data [3].
Impact
Successful exploitation results in memory corruption due to concurrent and unsynchronized access to data that should not be shared across threads. This can lead to a denial of service, information disclosure, or potentially arbitrary code execution in the context of the web server [1][3].
Mitigation
Upgrade to actix-web version 0.7.15 or later, which patches the issue. No workarounds are available for earlier versions [3]. The vulnerability is listed in the RustSec advisory database (RUSTSEC-2018-0019) [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actix-webcrates.io | < 0.7.15 | 0.7.15 |
Affected products
2- actix-web/actix-webdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7x36-h62w-vw65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25026ghsaADVISORY
- github.com/actix/actix-web/issues/289ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/actix-web/RUSTSEC-2018-0019.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2018-0019.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.