CVE-2020-35912
Description
An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockWriteGuard unsoundness.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race vulnerability in the lock_api crate (before 0.4.2) due to unsound MappedRwLockWriteGuard allows potential memory corruption in multi-threaded Rust programs.
Vulnerability
Overview
The lock_api crate, part of the parking_lot ecosystem, provides efficient synchronization primitives for Rust. In versions prior to 0.4.2, the MappedRwLockWriteGuard type had incorrect Send and Sync trait bounds, leading to unsoundness that could cause data races [1][2]. This flaw violates Rust's memory safety guarantees in concurrent contexts.
Exploitation
Conditions
Exploitation requires a scenario where a MappedRwLockWriteGuard is moved across threads without proper synchronization. The incorrect bounds allow the guard to be sent to another thread while the underlying lock is still held, enabling concurrent unsynchronized access to the protected data [2][4]. This is a type-system logic error rather than a runtime exploit, but it can be triggered by any code that relies on the guard's thread-safety properties.
Impact
An attacker who can influence the use of MappedRwLockWriteGuard in a multi-threaded application may cause data races, leading to memory corruption, undefined behavior, and potential security vulnerabilities such as information disclosure or denial of service [2]. The issue is classified as an unsoundness with memory-corruption and thread-safety implications.
Mitigation
The vulnerability is fixed in lock_api version 0.4.2, released in November 2020. Users should update to this version or later. The fix, implemented in pull request #262, adjusts the Send and Sync bounds for lock guards to enforce correct thread-safety constraints [4]. No workarounds are available; updating is the recommended action.
- GitHub - Amanieu/parking_lot: Compact and efficient synchronization primitives for Rust. Also provides an API for creating custom synchronization primitives.
- Some lock_api lock guard objects can cause data races › RustSec Advisory Database
- Fix bounds on Send and Sync impls for lock guards by Amanieu · Pull Request #262 · Amanieu/parking_lot
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lock_apicrates.io | < 0.4.2 | 0.4.2 |
Affected products
2- Rust/lock_apidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5wg8-7c9q-794vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35912ghsaADVISORY
- github.com/Amanieu/parking_lot/pull/262ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0070.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.