CVE-2020-36450
Description
An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The bunch crate for Rust unconditionally implements Send and Sync for Bunch, enabling data races and undefined behavior.
Vulnerability
The bunch crate (versions up to and including the 2020-11-12 release) unconditionally implements Send and Sync for Bunch without requiring T: Send or T: Sync [1][2]. This allows types that are not thread-safe, such as Cell, to be inserted into a Bunch and then shared across threads, leading to data races and undefined behavior [3].
Exploitation
An attacker can exploit this by writing Rust code that pushes a non-Sync type (e.g., Cell) into a Bunch, then wraps the Bunch in an Arc and shares it between threads. The proof-of-concept in reference [3] demonstrates a segmentation fault caused by a data race when one thread continuously modifies the Cell while another reads it. No special privileges or user interaction beyond running the code is required; the attack vector is network-based with high complexity [2].
Impact
Successful exploitation results in undefined behavior, memory corruption, and potential data races. This can lead to arbitrary code execution, information disclosure, or denial of service. The CVSS score is 8.1 (High) with high impact on confidentiality, integrity, and availability [2].
Mitigation
As of the RustSec advisory (RUSTSEC-2020-0130), no patched version of the bunch crate exists [2]. The recommended fix is to add T: Send and T: Sync bounds to the unsafe implementations. Until a fix is released, users should avoid using Bunch with non-thread-safe types or consider using alternative crates that properly enforce thread safety [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bunchcrates.io | <= 0.1.0 | — |
Affected products
3- bunch/bunchdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unconditional `unsafe impl<T> Sync for Bunch<T> {}` and `unsafe impl<T> Send for Bunch<T> {}` without requiring `T: Sync` or `T: Send` bounds, allowing data races on non-thread-safe types."
Attack vector
An attacker who can influence code using the `bunch` crate can exploit the missing `Sync`/`Send` bounds to create data races on types that are not thread-safe [CWE-362]. The attacker constructs a `Bunch` containing a `!Sync` type such as `Cell<T>`, wraps the `Bunch` in an `Arc`, and sends it to another thread [ref_id=1]. Both threads then call `Bunch::get()` concurrently to obtain `&T` references to the same `Cell`, producing a data race that can cause memory corruption or undefined behavior such as segmentation faults [ref_id=1][ref_id=2].
Affected code
The `Bunch<T>` type in the `bunch` crate unconditionally implements `unsafe impl<T> Sync for Bunch<T> {}` and `unsafe impl<T> Send for Bunch<T> {}` without requiring `T: Sync` or `T: Send` bounds [ref_id=1]. This allows types like `Cell<T>` or `Rc<T>` (which are `!Sync` or `!Send`) to be stored in a `Bunch` and then accessed from multiple threads via the `Bunch::get()` API, which returns `&T` [ref_id=2].
What the fix does
The advisory states the fix is to add a `T: Sync` bound to the `unsafe impl<T> Sync for Bunch<T> {}` declaration [ref_id=1]. No patched version of the crate has been published — the `[versions] patched = []` field in the advisory confirms no fix release exists [ref_id=2]. Without the bound, the compiler cannot prevent users from placing `!Sync` types into `Bunch` and sharing them across threads, which the fix would enforce at compile time.
Preconditions
- inputThe attacker's code must use the `bunch` crate to store a type that is `!Sync` (e.g., `Cell`) or `!Send` (e.g., `Rc`) inside a `Bunch`.
- networkThe `Bunch` must be shared across threads (e.g., via `Arc<Bunch>`) and `Bunch::get()` called concurrently from multiple threads.
- configNo patched version of the crate is available; the vulnerability exists in all versions through 2020-11-12.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jwph-qp5h-f9wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36450ghsaADVISORY
- github.com/krl/bunch/issues/1ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/bunch/RUSTSEC-2020-0130.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0130.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.