CVE-2020-35914
Description
An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of RwLockWriteGuard unsoundness.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race vulnerability in the lock_api crate for Rust before 0.4.2 allows unsound Send/Sync implementations on RwLockWriteGuard, leading to memory corruption.
The lock_api crate provides synchronization primitives such as Mutex and RwLock for Rust [1]. In versions prior to 0.4.2, the RwLockWriteGuard type had incorrect Send and Sync trait bounds, allowing the guard to be sent across threads even when the inner type was not Send or Sync. This unsoundness violates Rust's memory safety guarantees and can lead to data races [2].
To exploit this vulnerability, an attacker would need to construct a program that transfers a RwLockWriteGuard containing a non-Send or non-Sync type to another thread. Once on the other thread, the guard could be used to access the inner data without proper synchronization, resulting in concurrent reads and writes that are not properly ordered [2].
The impact of this unsoundness is a data race, which in Rust can cause undefined behavior, memory corruption, or crashes. The RustSec advisory classifies this as an unsoundness issue with potential for memory corruption [2].
The issue was addressed in lock_api version 0.4.2 by tightening the Send and Sync bounds on lock guards, as implemented in pull request #262 [4]. Users are advised to update to lock_api 0.4.2 or later to mitigate the vulnerability.
- GitHub - Amanieu/parking_lot: Compact and efficient synchronization primitives for Rust. Also provides an API for creating custom synchronization primitives.
- Some lock_api lock guard objects can cause data races › RustSec Advisory Database
- Fix bounds on Send and Sync impls for lock guards by Amanieu · Pull Request #262 · Amanieu/parking_lot
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lock_apicrates.io | < 0.4.2 | 0.4.2 |
Affected products
2- Rust/lock_apidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gmv4-vmx3-x9f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35914ghsaADVISORY
- github.com/Amanieu/parking_lot/pull/262ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0070.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.