CVE-2020-35886

Vulnerability

Description The affected version of the arr crate (prior to 2020-08-25) contains an incorrect implementation of Sync and Send bounds for its Array type. This design flaw permits an attacker to smuggle types that are not Sync or Send—such as Rc—across a thread boundary, thereby enabling a data race [1].

Exploitation

Details An attacker can exploit this vulnerability without requiring authentication, as the issue lies in the crate’s type-safety guarantees rather than any access control. A proof-of-concept demonstrates cloning a Rc inside a separate thread via crossbeam_utils::thread::scope, which should be disallowed by Rust’s thread-safety model. The bound violation allows the non-Send reference-counted pointer to be shared across threads, leading to unsynchronized concurrent access [1][3].

Impact

Successful exploitation results in a data race, which can lead to memory corruption, undefined behavior, and potential crashes. The Rust advisory categorizes this under thread-safety vulnerabilities and notes that no patch is available, leaving all users of the affected crate exposed [3].

Mitigation

Status As of the latest advisory, no patched version of the arr crate exists. The project appears unmaintained, and users are advised to avoid using the crate or to carefully audit any usage involving cross-thread operations [3][4].