CVE-2020-36217

Root

Cause

The may_queue crate (versions prior to 0.1.8) provides a concurrent queue (Queue) that incorrectly implements the Send and Sync traits without requiring the contained type T to also be Send or Sync. This violates Rust's thread-safety guarantees, as it allows types that are not safe to transfer between threads (e.g., Cell) to be shared across thread boundaries [1][3].

Exploitation

An attacker can exploit this flaw by pushing a non-Send type, such as std::cell::Cell, into the queue from one thread and popping it from another. The lack of bounds enables a data race: one thread repeatedly modifies the cell while another reads it, leading to undefined behavior. A proof-of-concept in the issue tracker demonstrates a segfault when a Cell containing a reference is overwritten with an integer, causing a dangling pointer dereference [4]. The attack requires no special privileges and can be triggered over the network if the queue is used in a networked service (CVSS attack vector: network) [3].

Impact

Successful exploitation results in memory corruption, which can lead to a denial of service (e.g., process crash) or potentially arbitrary code execution depending on the application's context. The CVSS score is 5.9 (medium), with high availability impact [3].

Mitigation

The vulnerability is fixed in may_queue version 0.1.8 and later, which adds proper Send and Sync bounds on the Queue type [3]. Users should update to the patched version immediately. No workaround is available for older versions.