CVE-2020-36215
📋 TL;DR
This vulnerability in the hashconsing Rust crate allows memory corruption due to missing Send and Sync trait bounds on HConsed. It affects Rust applications using hashconsing versions before 1.1.0 for concurrent data sharing across threads.
💻 Affected Systems
- hashconsing Rust crate
📦 What is this software?
Hashconsing by Hashconsing Project
⚠️ Risk & Real-World Impact
Worst Case
Memory corruption leading to arbitrary code execution, application crashes, or data corruption in multi-threaded Rust applications.
Likely Case
Application crashes, data corruption, or undefined behavior when HConsed objects are shared unsafely between threads.
If Mitigated
Minimal impact if applications don't use hashconsing in multi-threaded contexts or have proper thread isolation.
🎯 Exploit Status
Exploitation requires multi-threaded Rust application using vulnerable hashconsing crate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.0
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0107.html
Restart Required: Yes
Instructions:
1. Update Cargo.toml to require hashconsing >=1.1.0
2. Run 'cargo update' to fetch new version
3. Rebuild and redeploy application
🔧 Temporary Workarounds
Avoid multi-threaded usage
allEnsure HConsed objects are not shared between threads
🧯 If You Can't Patch
- Isolate hashconsing usage to single-threaded contexts only
- Implement manual synchronization around all HConsed access
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or run 'cargo tree | grep hashconsing' to see installed versionCheck Version:
cargo tree | grep hashconsingVerify Fix Applied:
Verify hashconsing >=1.1.0 appears in Cargo.lock after update📡 Detection & Monitoring
Log Indicators:
- Segmentation faults
- Memory access violation errors
- Unexpected application crashes
SIEM Query:
Application logs containing 'segmentation fault', 'SIGSEGV', or 'memory corruption' in Rust applications