Login Sign Up

CVE-2020-36447

8.1 HIGH

📋 TL;DR

This vulnerability in the v9 Rust crate allows data races due to an unconditional Sync implementation for SyncRef<T>, violating Rust's safety guarantees. It affects applications using v9 crate versions through 2020-12-18. Attackers could exploit this to cause undefined behavior including crashes or data corruption.

💻 Affected Systems

Products:
  • v9 Rust crate
Versions: All versions through 2020-12-18
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the SyncRef type from the v9 crate.

📦 What is this software?

V9 by V9 Project

View all CVEs affecting V9 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, denial of service, or data integrity compromise through undefined behavior in Rust's unsafe code.

🟠

Likely Case

Application crashes, data corruption, or inconsistent program state due to data races in concurrent code.

🟢

If Mitigated

Limited impact if application doesn't use SyncRef in concurrent contexts or has other synchronization mechanisms.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions but could lead to service disruption.
🏢 Internal Only: MEDIUM - Similar risk profile but limited to internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Rust's concurrency model and specific application usage patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v9 crate versions after 2020-12-18

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0127.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use v9 crate version > 0.0.0 (post 2020-12-18). 2. Run 'cargo update --package v9'. 3. Rebuild and redeploy application.

🔧 Temporary Workarounds

Avoid SyncRef usage

all

Refactor code to avoid using SyncRef type from v9 crate

Pin older version with patch

all

Manually apply fix by forking and patching the crate

git clone https://github.com/rust-secure-code/v9
Apply fix from advisory
Use local path dependency in Cargo.toml

🧯 If You Can't Patch

  • Isolate affected applications in containers or VMs with limited privileges
  • Implement additional application-level synchronization around SyncRef usage

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for v9 crate version <= 0.0.0 (2020-12-18) and grep code for 'SyncRef' usage

Check Version:

grep -A2 'name = "v9"' Cargo.lock

Verify Fix Applied:

Verify Cargo.lock shows v9 crate version > 0.0.0 and run 'cargo audit' to confirm no RUSTSEC-2020-0127

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults
  • Unexpected panics in concurrent code
  • Data corruption errors

Network Indicators:

  • Increased error rates
  • Service degradation

SIEM Query:

source="application" AND ("panic" OR "segfault" OR "data race") AND process="rust_app"

📊 Metadata

CVE ID: CVE-2020-36447
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: August 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36447, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)