CVE-2020-36458: 
Rust vulnerability analysis and mitigation

An issue was discovered in the lexer crate through 2020-11-10 for Rust, involving improper implementation of the Sync trait for ReaderResult. The vulnerability (CVE-2020-36458) was reported on November 10, 2020, and affects all versions of the lexer crate up to and including the last known version from 2020-11-10. This vulnerability has been assigned a CVSS score of 8.1 (HIGH) (RustSec Advisory).

The vulnerability stems from the implementation of the Sync trait for ReaderResult with trait bounds of T: Send, E: Send. When matching on the public enum ReaderResult, it provides access to &T and &E references, which can lead to data races when accessing non-Sync type T or E. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high-severity vulnerability with network attack vector, high attack complexity, and no required privileges or user interaction (RustSec Advisory).

This vulnerability can result in memory corruption when multiple threads concurrently access &T or &E references. The impact is significant as it affects the thread safety of applications using the lexer crate, potentially leading to data corruption and security issues in multi-threaded environments (RustSec Advisory).

The suggested fix is to change the trait bounds imposed on T & E to be T: Sync, E: Sync instead of T: Send, E: Send. However, as of the last known information, there are no patched versions available (RustSec Advisory).