CVE-2020-36211

Root

Cause

The vulnerability in the gfwx crate (versions before 0.3.0) stems from the ImageChunkMut type implementing Send and Sync traits without proper bounds on its generic parameter T [4]. Specifically, the unsafe implementations unsafe impl Send for ImageChunkMut<'_, T> {} and unsafe impl Sync for ImageChunkMut<'_, T> {} allow the type to be sent and shared across threads even when T is not Send or Sync [3]. This violates Rust's thread-safety guarantees and opens the door to data races.

Exploitation

An attacker can exploit this vulnerability by constructing a scenario where ImageChunkMut wraps a type like Cell that is Send but not Sync (or vice versa) and then using safe Rust concurrency primitives (e.g., crossbeam_utils::thread) to simultaneously access the same memory from multiple threads [4]. No unsafe code is needed from the exploiter; all operations can be performed in safe Rust, making the bug especially dangerous for library users who expect memory safety from the language [3]. The attack requires local access and low privileges, but exploitation complexity is high due to the need to trigger specific race conditions [3].

Impact

Successful exploitation leads to a data race, resulting in memory corruption [1]. This can manifest as reading or writing to freed memory, type confusion, or other undefined behavior [3]. The CVSS v3.1 score is 7.0 (High), with high impacts on confidentiality, integrity, and availability [3]. In practice, an attacker could potentially corrupt sensitive data or cause a denial of service.

Mitigation

The issue has been fixed in version 0.3.0 of the gfwx crate by adding T: Send and T: Sync bounds to the respective trait implementations [2][3]. Users are advised to update to at least 0.3.0. There is no known workaround for earlier versions, as the fix requires modifying the crate's source code [4].