CVE-2019-16137

Name of the Vulnerable Software and Affected Versions spin crate versions prior to 0.5.2

Description An issue was discovered in the spin crate for Rust, where wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time, violating mutual exclusion. This is due to the drop implementation using Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded. Only users of the RwLock implementation are affected, while users of Once, including users of lazy static with the spin no std feature enabled, are not affected. The issue is more serious on weakly ordered architectures such as ARM, where it is likely to result in memory corruption.

Recommendations For versions prior to 0.5.2, update to version 0.5.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of RwLock implementation until a patch is available. Restrict access to the RwLock implementation to minimize the risk of exploitation.