CVE-2020-36441
Description
An issue was discovered in the abox crate before 0.4.1 for Rust. It implements Send and Sync for AtomicBox with no requirement for T: Send and T: Sync.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AtomicBox in abox before 0.4.1 implements Send/Sync without requiring T: Send and T: Sync, enabling thread-safety violations and potential memory corruption.
Vulnerability
In the abox crate prior to version 0.4.1, the AtomicBox type incorrectly implements the Send and Sync traits for any T: Sized, without requiring that T itself be Send or Sync [1][2][4]. This means that AtomicBox can be sent across threads or shared between threads even when T does not uphold the safety guarantees of those traits. The flaw is rooted in the missing trait bounds on the generic parameter T in the unsafe impl blocks for Send and Sync [2]. All versions of abox before 0.4.1 are affected [4].
Exploitation
An attacker does not require any special privileges or authentication to exploit this vulnerability. The unsafe code providing Send/Sync for AtomicBox is automatically available to any user of the crate who constructs an AtomicBox with a non-Send/Sync type T [1][4]. By sending or sharing such an AtomicBox across threads, a program can initiate data races on the inner type, even if the inner type is not designed for concurrent access. No user interaction beyond using the crate in a multi-threaded context is needed [4].
Impact
Successful exploitation can lead to undefined behavior, most commonly memory corruption due to data races [4]. The crate's advisory categorizes this under memory-corruption and thread-safety. The CVSS score is 8.1 (HIGH) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning an attacker may gain complete compromise of confidentiality, integrity, and availability [4]. The impact is magnified because the flaw is in a foundational type provided by the crate, affecting any program using AtomicBox with an unsuitable type in a multi-threaded environment.
Mitigation
The vulnerability is fixed in version 0.4.1 of abox [1][2][4]. The fix adds the required trait bounds T: Send and T: Sync to the unsafe impl blocks for the corresponding traits [2]. All users should upgrade to 0.4.1 or later. No workaround is available, as the flaw is inherent to the type's design; stopping multi-threaded use of AtomicBox with non-Send/Sync types is the only alternative. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aboxcrates.io | < 0.4.1 | 0.4.1 |
Affected products
3- Rust/aboxdescription
Patches
11 file changed · +2 −2
src/lib.rs+2 −2 modified@@ -89,8 +89,8 @@ impl<T: Sized> Drop for AtomicBox<T> { } } -unsafe impl<T: Sized> Sync for AtomicBox<T> {} -unsafe impl<T: Sized> Send for AtomicBox<T> {} +unsafe impl<T: Sized + Sync> Sync for AtomicBox<T> {} +unsafe impl<T: Sized + Send> Send for AtomicBox<T> {} #[cfg(test)] mod tests {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r626-fc64-3q28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36441ghsaADVISORY
- github.com/SonicFrog/abox/commit/34c2b9eghsaWEB
- github.com/SonicFrog/abox/issues/1ghsaWEB
- github.com/SonicFrog/abox/pull/2ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/abox/RUSTSEC-2020-0121.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0121.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.