Login Sign Up

CVE-2020-36445

8.1 HIGH

📋 TL;DR

This vulnerability in the convec Rust crate allows data races and memory corruption by incorrectly marking ConVec<T> as thread-safe (Send and Sync) when it's not. Any Rust application using the affected convec crate versions is vulnerable to undefined behavior including crashes or potential code execution.

💻 Affected Systems

Products:
  • convec Rust crate
Versions: All versions through 2020-11-24
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Rust applications that import and use the convec crate.

📦 What is this software?

Convec by Project

View all CVEs affecting Convec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, denial of service, or data integrity compromise.

🟠

Likely Case

Application crashes, data corruption, or undefined behavior due to data races in concurrent code.

🟢

If Mitigated

No impact if application doesn't use convec in concurrent contexts or has proper thread isolation.

🌐 Internet-Facing: MEDIUM - Depends on whether vulnerable code handles untrusted input in concurrent contexts.
🏢 Internal Only: MEDIUM - Internal applications using convec in concurrent code remain vulnerable.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the application to use convec in concurrent code paths. The vulnerability is in the library's safety guarantees, not a specific function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2020-11-24 (crate was yanked from crates.io)

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0125.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to remove convec dependency or use alternative. 2. Run 'cargo update' to sync dependencies. 3. Rebuild and redeploy application. 4. Test thoroughly for any convec usage.

🔧 Temporary Workarounds

Remove convec dependency

all

Replace convec usage with standard Rust collections or alternative thread-safe collections

cargo remove convec
cargo update

Isolate convec usage

all

Ensure convec is only used in single-threaded contexts with proper synchronization

🧯 If You Can't Patch

  • Audit codebase for convec usage and ensure it's never used across thread boundaries
  • Implement runtime checks to detect concurrent access to convec instances

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for 'convec' dependency with version <= 0.1.0 (yanked versions)

Check Version:

grep -A2 'name = "convec"' Cargo.lock

Verify Fix Applied:

Verify 'cargo tree' shows no convec dependency or shows it's been removed

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults
  • Memory access violations
  • Unexpected panics in concurrent code

Network Indicators:

  • None specific - this is a library memory safety issue

SIEM Query:

Application logs containing 'panicked at' or segmentation fault errors in Rust applications

📊 Metadata

CVE ID: CVE-2020-36445
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: August 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36445, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)