CVE-2024-27308

Name of the Vulnerable Software and Affected Versions mio versions 0.7.2 through 0.8.10 Tokio versions 1.30.0 and later, when used with a vulnerable version of mio

Description The issue occurs when using named pipes on Windows, where mio may return invalid tokens corresponding to named pipes that have already been deregistered from the mio registry. The impact depends on how mio is used, potentially resulting in ignored tokens, warnings, crashes, or use-after-free errors, especially for applications storing pointers in tokens. For Tokio users, this issue can lead to a use-after-free in Tokio. The vulnerability is Windows-specific and only affects named pipes.

Recommendations For mio versions 0.7.2 through 0.8.10, update to mio v0.8.11 or later to resolve the issue. For Tokio versions 1.30.0 and later, when used with a vulnerable version of mio, update mio to v0.8.11 or later to resolve the issue. As a temporary workaround, vulnerable libraries that use mio can detect and ignore invalid tokens to minimize the risk of exploitation.