Home > Vulnerability Database > WS-2023-0027

Mend.io Vulnerability Database

WS-2023-0027

Good to know:

Date: November 3, 2024

A soundness issue was discovered in tokio. tokio::io::ReadHalf<T>::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.

Language: RUST

Severity Score

9.8

Related Resources (6)

Url: https://github.com/tokio-rs/tokio/issues/5372

Url: https://crates.io/crates/tokio

Url: https://rustsec.org/advisories/RUSTSEC-2023-0005.html

Url: https://github.com/tokio-rs/tokio/commit/d6ea7a742b92d3e516035a584ab9347a96be363a

Url: https://github.com/tokio-rs/tokio

Url: https://www.mend.io/vulnerability-database/WS-2023-0027

Severity Score

9.8

Weakness Type (CWE)

Use After Free

CWE-416

Top Fix

Upgrade Version

Upgrade to version tokio - 1.18.5,1.20.4,1.24.2

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0027

Good to know:

Date: November 3, 2024

Language: RUST

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?