CVE-2021-45704
Description
AtomicBucket in metrics-util before 0.7.0 unconditionally implements Send/Sync, enabling data races and memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AtomicBucket in metrics-util before 0.7.0 unconditionally implements Send/Sync, enabling data races and memory corruption.
Vulnerability
The vulnerability exists in the metrics-util crate before version 0.7.0. The AtomicBucket type unconditionally implements the Send and Sync traits due to its inner Block type having unsafe impl Send for Block {} and unsafe impl Sync for Block {}. This occurs despite T potentially being !Send or !Sync, allowing safe code to expose the type to data races and memory corruption without any unsafe blocks. The issue is present in versions including 0.4.0-alpha.1 and 0.6.2 [1][2][3][4].
Exploitation
An attacker (or any user of the crate) can exploit this by using the AtomicBucket::data_with API from multiple threads concurrently on a T: !Sync type, such as Cell, to create a data race. The reference reproduction demonstrates a program that spawns a thread which repeatedly writes different values into a Cell while the main thread reads it, causing undefined behavior without requiring unsafe code. An attacker needs only network position to run code on the same process or ability to trigger concurrent access; no special authentication is required beyond being able to invoke the safe API on the bucket [3][4].
Impact
Successful exploitation leads to data races and memory corruption. The specific consequences can include reading invalid or unexpected values, arbitrary memory read/write, or other undefined behavior depending on the T type used. This can result in denial of service, information disclosure, or potentially execution of arbitrary code in contexts where the corrupted data influences control flow. The attacker gains the ability to cause undefined behavior through safe APIs, bypassing Rust's safety guarantees [3][4].
Mitigation
The fix was applied in commit 8e6daab and released in metrics-util version 0.7.0. Users should update to 0.7.0 or later. The fix adds appropriate Send/Sync bounds to the Send/Sync implementations of Block, preventing unsound usage. No workaround is available; upgrading is required. The advisory is listed in the RustSec database as RUSTSEC-2021-0113 [4] and the CVE is not in the KEV catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
metrics-utilcrates.io | < 0.7.0 | 0.7.0 |
Affected products
2- rust/metrics-utildescription
Patches
18e6daabmetrics-util: fix soundness issue with AtomicBucket<T>
1 file changed · +2 −2
metrics-util/src/bucket.rs+2 −2 modified@@ -96,8 +96,8 @@ impl<T> Block<T> { } } -unsafe impl<T> Send for Block<T> {} -unsafe impl<T> Sync for Block<T> {} +unsafe impl<T: Send> Send for Block<T> {} +unsafe impl<T: Sync> Sync for Block<T> {} impl<T> std::fmt::Debug for Block<T> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cwvc-87xq-pc5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45704ghsaADVISORY
- github.com/metrics-rs/metrics/commit/8e6daabghsaWEB
- github.com/metrics-rs/metrics/issues/190ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/metrics-util/RUSTSEC-2021-0113.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0113.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.