Critical severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35868

Description

An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via UnlockNotification.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory safety vulnerability in rusqlite <=0.22.0 allows violation via UnlockNotification; fixed in 0.23.0.

Vulnerability

Analysis

An issue was discovered in the rusqlite crate for Rust, affecting versions prior to 0.23.0. The vulnerability stems from the UnlockNotification implementation, which could lead to a violation of memory safety [2]. The root cause is that the notification mechanism did not properly hold the mutex while notifying the condition variable, and incorrectly used &mut references for values shared across threads [4]. This violates Rust's memory safety guarantees, potentially allowing undefined behavior.

Exploitation

Exploiting this vulnerability requires the use of the specific APIs exposed through UnlockNotification in rusqlite. It does not affect applications using default features, as the advisory notes that the impacted APIs are behind feature flags [4]. An attacker would need to craft a scenario where the unsafe behavior can be triggered, likely involving concurrent access to SQLite database connections.

Impact

An attacker could leverage this memory safety issue to cause a crash, data corruption, or potentially achieve arbitrary code execution. The CVE is part of a group of memory safety fixes discovered during an audit of unsafe code in the crate [2][4]. The vendor describes these as 'fundamentally unsound' and warned that they could not be fixed without breaking changes.

Mitigation

The vulnerability was fixed in rusqlite version 0.23.0, released to address multiple memory safety issues [4]. Users are advised to update to this version or later. The fix ensured that UnlockNotification properly holds the mutex while notifying the condition variable and avoids using &mut references across threads [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rusqlitecrates.io	< 0.23.0	0.23.0

Affected products

Rust/rusqlitedescription
ghsa-coords
pkg:cargo/rusqlite
Range: < 0.23.0

Patches

54043c803c83

Prep release 0.23.0

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 23, 2020via osv

commit

1 file changed · +1 −1

Cargo.toml+1 −1 modified

@@ -1,6 +1,6 @@
 [package]
 name = "rusqlite"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["The rusqlite developers"]
 edition = "2018"
 description = "Ergonomic wrapper for SQLite"

45fd77ee43c3

UnlockNotification should hold mutex when calling condvar

https://github.com/rusqlite/rusqliteThom ChiovoloniApr 15, 2020via ghsa

commit

1 file changed · +9 −11

src/unlock_notify.rs+9 −11 modified

@@ -26,12 +26,13 @@ impl UnlockNotification {
         }
     }
 
-    fn fired(&mut self) {
-        *self.mutex.lock().unwrap() = true;
+    fn fired(&self) {
+        let mut flag = self.mutex.lock().unwrap();
+        *flag = true;
         self.cond.notify_one();
     }
 
-    fn wait(&mut self) {
+    fn wait(&self) {
         let mut fired = self.mutex.lock().unwrap();
         while !*fired {
             fired = self.cond.wait(fired).unwrap();
@@ -43,12 +44,9 @@ impl UnlockNotification {
 #[cfg(feature = "unlock_notify")]
 unsafe extern "C" fn unlock_notify_cb(ap_arg: *mut *mut c_void, n_arg: c_int) {
     use std::slice::from_raw_parts;
-    let args = from_raw_parts(ap_arg, n_arg as usize);
-    for arg in args {
-        let _ = catch_unwind(|| {
-            let un: &mut UnlockNotification = &mut *(*arg as *mut UnlockNotification);
-            un.fired()
-        });
+    let args = from_raw_parts(ap_arg as *const &UnlockNotification, n_arg as usize);
+    for un in args {
+        let _ = catch_unwind(std::panic::AssertUnwindSafe(|| un.fired()));
     }
 }
 
@@ -73,12 +71,12 @@ pub unsafe fn is_locked(db: *mut ffi::sqlite3, rc: c_int) -> bool {
 /// back the current transaction (if any).
 #[cfg(feature = "unlock_notify")]
 pub unsafe fn wait_for_unlock_notify(db: *mut ffi::sqlite3) -> c_int {
-    let mut un = UnlockNotification::new();
+    let un = UnlockNotification::new();
     /* Register for an unlock-notify callback. */
     let rc = ffi::sqlite3_unlock_notify(
         db,
         Some(unlock_notify_cb),
-        &mut un as *mut UnlockNotification as *mut c_void,
+        &un as *const UnlockNotification as *mut c_void,
     );
     debug_assert!(
         rc == ffi::SQLITE_LOCKED || rc == ffi::SQLITE_LOCKED_SHAREDCACHE || rc == ffi::SQLITE_OK

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3cgf-9m6x-pwwrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-35868ghsaADVISORY
github.com/rusqlite/rusqlite/commit/45fd77ee43c38eea4d6f4e2e56c1667a55ec654fghsaWEB
github.com/rusqlite/rusqlite/releases/tag/0.23.0ghsax_refsource_MISCWEB
rustsec.org/advisories/RUSTSEC-2020-0014.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000