CVE-2020-36208
Description
The conquer-once crate's OnceCell lacked a Send bound in its Sync trait, allowing non-Send types to be sent across threads, causing memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The conquer-once crate's OnceCell lacked a Send bound in its Sync trait, allowing non-Send types to be sent across threads, causing memory corruption.
The vulnerability resides in the conquer-once Rust crate, version prior to 0.3.2. The OnceCell type implemented Sync for any T: Sync without requiring T: Send. This allowed a type that is Sync but not Send (e.g., MutexGuard) to be shared across threads, violating Rust's thread safety guarantees. The unsafe impl for Sync missed the Send bound, enabling the creation of concurrent access patterns that are undefined behavior [1][2].
Exploitation requires an attacker to control the initialization of a OnceCell with a non-Send type. In a multi-threaded context, the attacker can cause the non-Send value to be accessed or dropped from a different thread than the one that initialized it. The provided proof of concept demonstrates smuggling a MutexGuard across threads, leading to an attempt to unlock a mutex from a thread that did not lock it [3]. This requires local access and low privileges (CVSS 7.8) [2].
The impact is memory corruption and potential undefined behavior, which can lead to a crash, data corruption, or arbitrary code execution under favorable conditions. The Rust advisory classifies this as a memory corruption and thread safety issue [2].
The issue was fixed in version 0.3.2 by adding a Send bound to the Sync implementation. Users should update to >=0.3.2. No workarounds other than upgrading are documented [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
conquer-oncecrates.io | < 0.3.2 | 0.3.2 |
Affected products
2- Rust/conquer-once cratedescription
Patches
18af426dd5c9cbumpt to 0.3.2
3 files changed · +9 −5
Cargo.toml+1 −1 modified@@ -1,7 +1,7 @@ [package] name = "conquer-once" description = "Synchronization primitives for lazy and one-time initialization" -version = "0.3.1" +version = "0.3.2" authors = ["Oliver Giersch"] license = "MIT/Apache-2.0" readme = "README.md"
README.md+3 −3 modified@@ -23,7 +23,7 @@ To use this crate, add the following to your `Cargo.toml` ``` [dependencies] -conquer-once = "0.3.0" +conquer-once = "0.3.2" ``` ## Minimum Supported Rust Version (MSRV) @@ -40,9 +40,9 @@ exports the types in the crate's `spin` sub-module, which use spin-locks. The feature can be disabled by specifying the dependency as follows: -``` +``` [dependencies.conquer-once] -version = "0.3.0" +version = "0.3.2" use-default-features = false ```
RELEASES.md+5 −1 modified@@ -26,4 +26,8 @@ ### Release `0.3.1` -- fixes an apparent regression, requiring a new compiler than the stated 1.36.0 \ No newline at end of file +- fixes an apparent regression, requiring a new compiler than the stated 1.36.0 + +### Release `0.3.2` + +- fixes potential UB due to insufficiently strict bounds on `Sync` implementation for `OnceCell` (see [Issue #3](https://github.com/oliver-giersch/conquer-once/issues/3)) \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3jc5-5hc5-33gjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36208ghsaADVISORY
- github.com/oliver-giersch/conquer-once/issues/3ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0101.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.