CVE-2020-36451 – This vulnerability in the rcu_cell Rust crate a... (How to Fix)

Q: What is the severity of CVE-2020-36451?

CVE-2020-36451 has a CVSS score of 8.1 (HIGH). This vulnerability in the rcu_cell Rust crate allows data races and memory corruption by incorrectly implementing Send and Sync traits for RcuCell<T> regardless of the type T's thread safety. This affects any Rust application using vulnerable versions of the rcu_cell crate, potentially leading to undefined behavior and security issues.

📋 TL;DR

This vulnerability in the rcu_cell Rust crate allows data races and memory corruption by incorrectly implementing Send and Sync traits for RcuCell<T> regardless of the type T's thread safety. This affects any Rust application using vulnerable versions of the rcu_cell crate, potentially leading to undefined behavior and security issues.

💻 Affected Systems

Products:

rcu_cell Rust crate

Versions: All versions through 2020-11-14

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications that import and use the rcu_cell crate with types that aren't thread-safe.

📦 What is this software?

Rcu Cell by Rcu Cell Project

View all CVEs affecting Rcu Cell →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, denial of service, or data integrity compromise in multi-threaded Rust applications.

🟠

Likely Case

Data races causing undefined behavior, application crashes, or incorrect program execution in concurrent Rust code.

🟢

If Mitigated

No impact if applications don't use rcu_cell or have proper thread safety controls and type constraints.

🌐 Internet-Facing: MEDIUM - Risk depends on whether vulnerable applications expose network interfaces and handle concurrent requests.

🏢 Internal Only: MEDIUM - Internal applications using rcu_cell with concurrent access patterns remain vulnerable to data races.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires understanding of Rust's concurrency model and crafting specific data race conditions.

Exploitation requires application-specific conditions where non-thread-safe types are used with RcuCell in concurrent contexts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2020-11-14 (specifically fixed in commit addressing the issue)

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0131.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use rcu_cell version > 0.1.5 or specify git commit with fix. 2. Run 'cargo update rcu_cell'. 3. Rebuild and redeploy application.

🔧 Temporary Workarounds

Avoid rcu_cell usage

all

Replace rcu_cell with alternative thread-safe synchronization primitives from Rust's standard library.

cargo remove rcu_cell
cargo add std::sync::Arc or other appropriate types

Manual trait bounds

all

Add explicit Send/Sync trait bounds on types used with RcuCell to ensure thread safety.

Modify Rust code to add where T: Send + Sync constraints

🧯 If You Can't Patch

Audit code for RcuCell usage with non-thread-safe types and refactor to avoid concurrent access.
Implement runtime checks or wrapper types that enforce thread safety before using RcuCell.

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for rcu_cell dependency version ≤ 0.1.5 or with commit date ≤ 2020-11-14.

Check Version:

grep rcu_cell Cargo.lock || cargo tree | grep rcu_cell

Verify Fix Applied:

Verify rcu_cell version > 0.1.5 in Cargo.lock and that Send/Sync implementations are conditional on T's traits.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory corruption errors
Data race warnings from Rust's MIRI or sanitizers

Network Indicators:

Unusual application behavior under concurrent load

SIEM Query:

Process monitoring for Rust application crashes with memory-related error codes

📊 Metadata

CVE ID: CVE-2020-36451

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: August 8, 2021

Last Updated: November 21, 2024

🔗 References

https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/rcu_cell/RUSTSEC-2020-0131.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0131.html Exploit,Patch,Third Party Advisory
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/rcu_cell/RUSTSEC-2020-0131.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0131.html Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36451, you might also want to check these: