Rust oneshot Crate, Race Condition Vulnerability Leading to Use-After-Free (Critical)

Listen to this Post

When a `oneshot::Receiver` future is polled, it transitions the internal channel state to `RECEIVING` and stores a waker on the heap. If this `Receiver` is then dropped before being polled to completion (e.g., due to a timeout), its `Drop` implementation immediately swaps the channel state to `DISCONNECTED` and then attempts to read and drop its stored waker from the heap allocation. Concurrently, a `Sender` observing the `DISCONNECTED` state may immediately deallocate the shared channel memory. This creates a narrow race window where the Receiver‘s drop logic can read the waker pointer from memory that has already been freed by the Sender, resulting in a use-after-free. This vulnerability can be triggered by wrapping the receiver in a future that may cancel it, such as a timeout. The fix ensures proper state synchronization and ordering to prevent the `Sender` from deallocating memory before the `Receiver` has safely retrieved its waker.
Platform: Rust Crate
Version: <0.1.12
Vulnerability: Race Condition
Severity: Critical
date: Disclosed 2021

Prediction: Patched 2021-08-31

What Undercode Say:

cargo audit
cargo tree | grep oneshot
// Example triggering code structure
tokio::time::timeout(duration, rx).await;

How Exploit:

Attacker controls Sender timing to cause memory corruption during Receiver drop, potentially leading to arbitrary code execution.

Protection from this CVE:

Update to >=0.1.12.

Impact:

Use-After-Free, possible RCE.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top