CVE-2020-36218
Description
An issue was discovered in the buttplug crate before 1.0.4 for Rust. ButtplugFutureStateShared does not properly consider (!Send|!Sync) objects, leading to a data race.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race vulnerability in the Rust buttplug crate (before 1.0.4) allows unsound concurrent access to non-Send/Sync types via unsafe auto-implemented traits.
What the
Vulnerability Is
CVE-2020-36218 is a memory-safety and soundness issue in the buttplug Rust crate (versions before 1.0.4). The root cause lies in the ButtplugFutureStateShared type, which unconditionally implements Send and Sync via unsafe impl blocks [3]. This bypasses Rust's thread-safety guarantees, allowing a type holding (!Send | !Sync) objects—such as Cell—to be shared across threads without any synchronization [4].
How
It Is Exploited
An attacker can exploit this by crafting a proof-of-concept (PoC) program that sends a ButtplugFutureStateShared containing a Cell into a spawned thread while the main thread concurrently reads from that Cell [2][4]. No authentication or special network position is required if the vulnerable code is used in a multi-threaded context. The official PoC demonstrates a segmentation fault when two threads race to read and write the same Cell [4].
Impact
Successful exploitation leads to a data race on objects that are not Send or Sync, resulting in undefined behavior. The CVSS score (5.9 medium) indicates a high availability impact, as the race can cause a crash (segfault) or memory corruption [3]. Confidentiality and integrity are not directly impacted per the CVSS vector.
Mitigation
The vulnerability is patched in version 1.0.4 of the buttplug crate [1][3]. Users should update to that version or later. There is no known workaround for older versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
buttplugcrates.io | < 1.0.4 | 1.0.4 |
Affected products
3- Rust/buttplugdescription
Patches
16c51e5253493doc: Update CHANGELOG/VERSION for v1.0.4
2 files changed · +8 −1
buttplug/Cargo.toml+1 −1 modified@@ -1,6 +1,6 @@ [package] name = "buttplug" -version = "1.0.3" +version = "1.0.4" authors = ["Nonpolynomial Labs, LLC <kyle@nonpolynomial.com>"] description = "Buttplug Intimate Hardware Control Library" license = "BSD-3-Clause"
buttplug/CHANGELOG.md+7 −0 modified@@ -1,3 +1,10 @@ +# 1.0.4 (2021-01-02) + +## Features + +- #238: XInput gamepads now fire Disconnection events, which should stop devices from being + double-added. + # 1.0.3 (2021-01-01) ## Features
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-r7rv-2rph-hvhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36218ghsaADVISORY
- github.com/buttplugio/buttplug-rs/issues/225ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0112.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.