VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 22, 2021· Updated Aug 4, 2024

CVE-2020-36203

CVE-2020-36203

Description

The reffers crate for Rust allowed ARefss to contain non-Send+Sync objects, enabling data races and memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The reffers crate for Rust allowed ARefss to contain non-Send+Sync objects, enabling data races and memory corruption.

The reffers crate (versions before 0.6.1) contained a soundness issue in the ARefss::map() and ARefss::try_map() methods. These methods lacked Send + Sync bounds on the type parameter V, allowing safe Rust code to create an ARefss that holds a non-Send and non-Sync object [1][2]. This violates Rust's thread safety guarantees.

Exploitation requires an attacker to craft a program that uses the map function to insert a type that is neither Send nor Sync, such as Cell or Rc. The provided proof-of-concept demonstrates this by using Box::leak to obtain a &Cell and storing it in an ARefss [3]. When the ARefss is shared across threads, concurrent access to the Cell leads to a data race.

The data race can cause memory corruption, as shown by the PoC where a dangling pointer is dereferenced, resulting in a segmentation fault [3]. This can lead to undefined behavior, potentially allowing an attacker to corrupt memory or cause a denial of service. The CVSS score is 4.7 (Medium) with high attack complexity and local access required [2].

The issue was fixed in version 0.6.1 by adding Send + Sync bounds to the map and try_map methods of both ARefs and ARefss [4]. Users should update to the patched version. No workaround is available other than avoiding the use of ARefss with non-thread-safe types.

References
  1. NVD - CVE-2020-36203
  2. can make `ARefss` contain a !Send, !Sync object. › RustSec Advisory Database
  3. Unsound: can make `ARefss` contain a !Send, !Sync object.
  4. Fix unsoundness in arefs/arefss::map/try_map · diwic/reffers-rs@6dd7ca0

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
refferscrates.io
< 0.6.10.6.1

Affected products

2

Patches

1
6dd7ca0d50f2

Fix unsoundness in arefs/arefss::map/try_map

https://github.com/diwic/reffers-rsDavid HenningssonDec 1, 2020via ghsa
commit
1 file changed · +5 5
  • src/aref.rs+5 5 modified
    @@ -516,7 +516,7 @@ impl<'a, U: ?Sized> ARefs<'a, U> {
     /// assert_eq!(*aref.map(|s| &s[1]), 5);
     /// ```
     #[inline]
-    pub fn map<V: ?Sized, F: FnOnce(&U) -> &V>(self, f: F) -> ARefs<'a, V> { ARefs(self.0.map(f)) }
+    pub fn map<V: ?Sized + Send, F: FnOnce(&U) -> &V>(self, f: F) -> ARefs<'a, V> { ARefs(self.0.map(f)) }
 
     /// Like map, but with Result passthrough.
     ///
@@ -528,11 +528,11 @@ impl<'a, U: ?Sized> ARefs<'a, U> {
     /// assert_eq!(aref.try_map(|s| s.get(9).ok_or(())), Err(()));
     /// ```
     #[inline]
-    pub fn try_map<E, V: ?Sized, F: FnOnce(&U) -> Result<&V, E>>(self, f: F) -> Result<ARefs<'a, V>, E> {
+    pub fn try_map<E, V: ?Sized + Send, F: FnOnce(&U) -> Result<&V, E>>(self, f: F) -> Result<ARefs<'a, V>, E> {
         self.0.try_map(f).map(|z| ARefs(z))
     }
 
-    /// Removes the type information that this struct is Send + Sync.
+    /// Removes the type information that this struct is Send.
     #[inline]
     pub fn into_aref(self) -> ARef<'a, U> { self.0 }
 }
@@ -564,7 +564,7 @@ impl<'a, U: ?Sized> ARefss<'a, U> {
     /// assert_eq!(*aref.map(|s| &s[1]), 5);
     /// ```
     #[inline]
-    pub fn map<V: ?Sized, F: FnOnce(&U) -> &V>(self, f: F) -> ARefss<'a, V> { ARefss(self.0.map(f)) }
+    pub fn map<V: ?Sized + Send + Sync, F: FnOnce(&U) -> &V>(self, f: F) -> ARefss<'a, V> { ARefss(self.0.map(f)) }
 
     /// Like map, but with Result passthrough.
     ///
@@ -576,7 +576,7 @@ impl<'a, U: ?Sized> ARefss<'a, U> {
     /// assert_eq!(aref.try_map(|s| s.get(9).ok_or(())), Err(()));
     /// ```
     #[inline]
-    pub fn try_map<E, V: ?Sized, F: FnOnce(&U) -> Result<&V, E>>(self, f: F) -> Result<ARefss<'a, V>, E> {
+    pub fn try_map<E, V: ?Sized + Send + Sync, F: FnOnce(&U) -> Result<&V, E>>(self, f: F) -> Result<ARefss<'a, V>, E> {
         self.0.try_map(f).map(|z| ARefss(z))
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.