CVE-2020-35876
Description
The rio crate for Rust allows leaking a struct, enabling sensitive information disclosure, use-after-free, or data races via forgotten completions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The rio crate for Rust allows leaking a struct, enabling sensitive information disclosure, use-after-free, or data races via forgotten completions.
Vulnerability
Overview The vulnerability in the rio crate (through 2020-05-11) for Rust arises because a rio::Completion struct can be leaked, meaning its destructor never runs. The crate relies on the destructor to delay freeing buffers until the associated I/O request completes. However, Rust's safety model permits scenarios where an object's lifetime ends without its destructor executing—for example, via std::mem::forget—and this crate does not guard against such leaks [1][4]. The official advisory details that the drop code is responsible for ensuring buffers remain valid until the kernel finishes with them; when the destructor is skipped, those buffers can be freed prematurely [4].
Exploitation
Details To exploit this vulnerability, an attacker does not need any special privileges or user interaction; the CVSS vector indicates the attack vector is network-based with low complexity [2]. The attack surface revolves around any code path that causes a Completion to be forgotten. Because the crate exposes a public API where users can inadvertently leak completions (e.g., by calling std::mem::forget or through panic/unwind scenarios), an attacker who can influence such code paths or control inputs that lead to completion leaks can trigger the issue. No authentication is required, and the vulnerability can be triggered without the victim's knowledge [2].
Impact
If a Completion is leaked, the buffers involved in the I/O request may be freed while the kernel or other threads still hold references to them. This can lead to use-after-free memory access, data races, or exposure of sensitive information contained in the freed memory. The Raspberry Pi OS advisory categorizes this under memory corruption and memory exposure, and the CVSS score of 9.8 (Critical) reflects the high potential impact on confidentiality, integrity, and availability [2][4].
Mitigation
Status As of the latest advisory, no patched version of the rio crate has been released to address this issue; users are advised to avoid using the crate if Rust soundness guarantees are important [1][4]. The maintainers note that the crate is intended to be misuse-resistant but acknowledge that this specific leak scenario is possible and warn users to be careful not to let completions leak [1]. No workaround is provided beyond avoiding the crate or ensuring that Completion objects are never forgotten.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
riocrates.io | <= 0.9.4 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8rc5-mr4f-m243ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35876ghsaADVISORY
- github.com/spacejam/rio/issues/11ghsaWEB
- github.com/spacejam/rio/pull/31ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.