CVE-2021-45710

Name of the Vulnerable Software and Affected Versions: tokio crate versions 1.8.4 and earlier tokio crate versions 1.9.x through 1.13.x before 1.13.1

Description: An issue in the tokio crate for Rust can cause a data race and memory corruption in certain circumstances involving a closed oneshot channel. If a tokio::sync::oneshot channel is closed via the oneshot::Receiver::close method, a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try recv. This can result in memory corruption when both halves of the channel are used after the Receiver half has called close.

Recommendations: For tokio crate versions 1.8.4 and earlier, update to version 1.8.4 or later. For tokio crate versions 1.9.x through 1.13.x before 1.13.1, update to version 1.13.1 or later. As a temporary workaround, consider avoiding the use of the close method on the oneshot::Receiver half of the channel, or ensure that the oneshot::Sender::send method is not called while the corresponding oneshot::Receiver is awaited or calling try recv.