CVE-2020-35928
Description
An issue was discovered in the concread crate before 0.2.6 for Rust. Attackers can cause an ARCache<K,V> data race by sending types that do not implement Send/Sync.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In concread before 0.2.6, ARCache<K,V> incorrectly implements Send/Sync without bounds, allowing safe Rust code to cause data races.
The vulnerability resides in the concread crate's ARCache<K,V> type. The unsafe implementations of Send and Sync for ARCache did not require the value type V to be Send or Sync, violating Rust's thread-safety guarantees. This allows non-Send/Sync types, such as Rc, to be shared across threads, leading to potential data races and undefined behavior. [1][3]
An attacker can exploit this by inserting a type like Rc (which is neither Send nor Sync) into the cache and then spawning multiple threads that read from the cache. The Rc's reference count is updated without synchronization, causing undefined behavior such as double-free or memory corruption. A proof-of-concept demonstrates that running the program can result in crashes or memory leaks. [3]
The impact is primarily on availability, with a CVSS score of 4.7 (Medium). The attack requires local access and high complexity, but no user interaction. The undefined behavior can lead to program crashes or memory corruption, potentially affecting system stability. [4]
The issue was patched in version 0.2.6 by adding Send/Sync bounds on V. Users are advised to update to >=0.2.6 to mitigate the vulnerability. [4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concreadcrates.io | < 0.2.6 | 0.2.6 |
Affected products
3- Rust/concreaddescription
Patches
17e749b164e46(cargo-release) version 0.2.6
1 file changed · +1 −1
Cargo.toml+1 −1 modified@@ -1,6 +1,6 @@ [package] name = "concread" -version = "0.2.5" +version = "0.2.6" authors = ["William Brown <william@blackhats.net.au>"] description = "Concurrently Readable Data-Structures for Rust"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4xj5-vv9x-63jpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35928ghsaADVISORY
- github.com/kanidm/concread/issues/48ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0092.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.