CVE-2020-35924

Vulnerability

Description The try-mutex crate (versions prior to 0.3.0) unconditionally implemented the Sync trait for TryMutex, meaning the type was considered safe to share across threads regardless of whether T implements Send [2]. This violates Rust's thread-safety guarantees, as Sync should only be implemented when T: Send (as the standard library's Mutex does). The flaw was reported by researchers scanning crates.io for soundness bugs [4].

Exploitation

An attacker (or any user of the crate) can exploit this by wrapping a non-Send type, such as Rc, inside a TryMutex and then sending the mutex to another thread. Because TryMutex incorrectly implements Sync, the compiler does not prevent the cross-thread transfer. A proof-of-concept using crossbeam_utils::thread demonstrates that two threads can hold references to the same Rc instance, leading to concurrent access [4]. No special privileges are required beyond the ability to execute code that uses the vulnerable crate.

Impact

Successful exploitation allows data races on types that are not designed for concurrent access. For example, Rc (reference-counted pointer) is not atomic; concurrent increment/decrement of its reference count can cause use-after-free, double-free, or other memory corruption. The CVSS score is 5.5 (Medium) with availability impact rated High, as the most likely outcome is a crash or undefined behavior [2]. Confidentiality and integrity are not directly affected, but memory corruption could potentially be leveraged further.

Mitigation

The issue is fixed in version 0.3.0 of the try-mutex crate, which adds the T: Send bound to the Sync implementation [2]. Users should update to >=0.3.0. No workaround exists for older versions; the crate is no longer maintained, so upgrading is the only option.