CVE-2020-36215

The vulnerability resides in the hashconsing crate's HConsed type, which implements Send and Sync traits unconditionally via unsafe impl Send for HConsed {} and unsafe impl Sync for HConsed {}. This bypasses Rust's type system guarantees by allowing types that are not thread-safe (e.g., those containing Cell) to be shared across threads without restriction, potentially causing data races and memory corruption [1][2].

Exploitation requires constructing an HConsed wrapping a non-Send or non-Sync type and accessing it from multiple threads. A proof-of-concept in the advisory shows a data race where concurrent reads and writes to a Cell-based value lead to a segmentation fault [2]. The attack surface is broadened by the crate's use in concurrent scenarios; no authentication or special privileges are needed if the vulnerable code path is reachable.

The impact includes memory corruption and undefined behavior, which can be leveraged for denial of service. The CVSS score is 7.5 (HIGH) with an attack vector of network, low complexity, and no privileges required, primarily affecting availability [3].

The issue is patched in hashconsing version 1.1.0, which enforces proper trait bounds on HConsed's Send and Sync implementations. Users are strongly advised to update to the latest version [3]. No workarounds are available for affected versions.