CVE-2021-28037
Description
An issue was discovered in the internment crate before 0.4.2 for Rust. There is a data race that can cause memory corruption because of the unconditional implementation of Sync for Intern.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unconditional Sync implementation in internment crate before 0.4.2 allows data races on non-Sync types, leading to memory corruption.
Vulnerability
Description
The internment crate (versions prior to 0.4.2) unconditionally implements Sync for Intern, even when T is not Sync [1][3]. This violates Rust's thread-safety guarantees, as Sync is intended only for types that are safe to share across threads. The flaw was introduced because the Intern type uses unsafe impl Sync for Intern {} without requiring T: Sync [4].
Exploitation
An attacker can exploit this by constructing an Intern where T is a non-Sync type (e.g., Cell<...>) and then sharing that interned value across threads using safe APIs [4]. The provided reproduction demonstrates a data race where one thread writes to a Cell while another reads it, leading to undefined behavior such as reading a dangling pointer [4]. No special privileges or user interaction are required; the attack can be launched over a network if the application processes untrusted data [2][3].
Impact
Successful exploitation results in memory corruption, which can lead to arbitrary code execution, information disclosure, or denial of service [2][3]. The CVSS score is 9.8 (Critical) with high impacts on confidentiality, integrity, and availability [3].
Mitigation
The issue is fixed in version 0.4.2 of the internment crate [3]. Users should update to this version or later. No workarounds are available for affected versions [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
internmentcrates.io | < 0.4.2 | 0.4.2 |
Affected products
2- Rust/internmentdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gppw-3h6h-v6q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-28037ghsaADVISORY
- github.com/droundy/internment/issues/20ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0036.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.