CVE-2024-27308Use After Free in MIO

CWE-416Use After FreeCWE-672Operation on a Resource after Expiration or Release6 documents5 sources
Severity
9.1CRITICALNVD
EPSS
0.9%
top 23.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
MIO Project MIOTokio-rs MIOTokio+14 more
Timeline
PublishedMar 6
Latest updateMar 12

Description

Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. For users of To

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages18 packages

CVEListV5tokio-rs/mio>= 0.7.2, < 0.8.11

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Mio's tokens for named pipes may be delivered after deregistration2024-03-04
OSV
Tokens for named pipes may be delivered after deregistration2024-03-04
OSV
Mio's tokens for named pipes may be delivered after deregistration2024-03-04

📋Vendor Advisories

2
Microsoft
Mio's tokens for named pipes may be delivered after deregistration2024-03-12
Debian
CVE-2024-27308: rust-mio - Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will...2024
CVE-2024-27308 — Use After Free in Tokio-rs MIO | cvebase