CVE-2020-36468

Vulnerability

The cgc crate (through version 2020-12-10) contains a soundness issue in the Ptr type's write method. The Ptr::set function calls self.0.write(val), which performs a non-atomic write to the underlying raw pointer [2][3]. This violates Rust's aliasing and concurrency guarantees, particularly when Ptr implements Send and Sync unconditionally for any T, allowing types like Rc and Cell to be shared across threads unsafely [3].

Exploitation

An attacker with no privileges can exploit this vulnerability in a multithreaded context. If a Ptr is sent to another thread (allowed due to unsound Send/Sync implementations), concurrent calls to Ptr::set on the same memory location can result in data races [2][3]. The attack requires no user interaction; it only needs the program to use Ptr across threads without proper synchronization.

Impact

Successful exploitation leads to memory corruption and undefined behavior (e.g., read/write conflicts, unexpected crashes) [2]. This can potentially escalate to arbitrary memory access or denial-of-service, depending on the program's logic.

Mitigation

As of the publication date, no patched version of cgc has been released. The RustSec advisory RUSTSEC-2020-0148 lists the vulnerability as unmitigated [2]. Users should avoid using Ptr in multi-threaded code or apply manual fixes: restrict Send/Sync to types that are Send/Sync themselves, and replace write with atomic operations [3].