CVE-2020-35874

Vulnerability

CVE-2020-35874 describes a race condition in the ArcIntern::drop function of the internment crate for Rust. The issue occurs because the function decrements the reference count and then, if the count reaches zero, attempts to remove the value from an internal map. However, between the count decrement and the map removal, a concurrent thread can create a new ArcIntern with the same value. This new allocation can reuse the memory that the first thread is about to free, leading to a dangling pointer and a use-after-free condition when the original thread removes the entry from the map [1][3].

Exploitation

The vulnerability is exploitable by an attacker who can influence the concurrent creation and dropping of ArcIntern instances with the same value. An attacker does not need any special privileges, but the attack complexity is high due to the precise timing required to trigger the race condition (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) [3]. The attack surface is limited to applications that use the ArcIntern type and where an attacker can control the values being interned or influence the timing of drop operations [1][2].

Impact

A successful exploit can lead to memory corruption, potentially allowing an attacker to achieve arbitrary read/write primitives, resulting in high impacts on confidentiality, integrity, and availability [3]. The vulnerability is memory-corruption type and has been assigned a CVSS score of 8.1 (HIGH).

Mitigation

The issue was patched in version 0.4.0 of the internment crate. Users are advised to update to 0.4.0 or later. Versions prior to 0.3.12 are unaffected by this specific vulnerability (likely due to lacking the ArcIntern feature) [3]. No workarounds are documented; updating is the recommended action.