{"ecosystem":"cargo","package":"tokio","version":null,"bugs":[{"id":856,"ecosystem":"cargo","package_name":"tokio","affected_version":"0.1.14","fixed_version":"1.8.4","bug_id":"osv:GHSA-fg7r-2g4j-5cgr","title":"Race Condition in tokio","description":"If a tokio::sync::oneshot channel is closed (via the oneshot::Receiver::close method), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv.\n\nWhen these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption.\n\nNote that the race only occurs when both halves of the channel are used after the Receiver half has called close. Code where close is not used, or where the Receiver is not awaited and try_recv is not called after calling close, is not affected.\n\n","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45710","labels":["CVE-2021-45710","RUSTSEC-2021-0124"],"created_at":"2026-04-19T04:32:01.691584+00:00","updated_at":"2026-04-19T04:32:01.691584+00:00"},{"id":862,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.44.0","fixed_version":"1.44.2","bug_id":"osv:RUSTSEC-2025-0023","title":"Broadcast channel calls clone in parallel, but does not require `Sync`","description":"The broadcast channel internally calls `clone` on the stored value when\nreceiving it, and only requires `T:Send`. This means that using the broadcast\nchannel with values that are `Send` but not `Sync` can trigger unsoundness if\nthe `clone` implementation makes use of the value being `!Sync`.\n\nThank you to Austin Bonander for finding and reporting this issue.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tokio","labels":["GHSA-rr8g-9fpq-6wmg"],"created_at":"2026-04-19T04:32:01.694511+00:00","updated_at":"2026-04-19T04:32:01.694511+00:00"},{"id":861,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.21.0","fixed_version":"1.24.2","bug_id":"osv:RUSTSEC-2023-0005","title":"`tokio::io::ReadHalf<T>::unsplit` is Unsound","description":"`tokio::io::ReadHalf<T>::unsplit` can violate the `Pin` contract\n\nThe soundness issue is described in the [tokio/issues#5372](https://github.com/tokio-rs/tokio/issues/5372)\n\nSpecific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)\nis unusual, combined with the difficulty of making any arbitrary use-after-free\nexploitable in Rust without doing a lot of careful alignment of data types in\nthe surrounding code.\n\nThe `tokio` feature `io-util` is also required to be enabled to trigger this\nsoundness issue.\n\nThanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e\nand carllerche appropriately responding and fixing the soundness bug.\n\nTokio before 0.2.0 used `futures` 0.1 that did not have `Pin`, so it is not\naffected by this issue.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tokio","labels":["GHSA-4q83-7cq4-p6wg"],"created_at":"2026-04-19T04:32:01.694076+00:00","updated_at":"2026-04-19T04:32:01.694076+00:00"},{"id":860,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.21.0","fixed_version":"1.23.1","bug_id":"osv:RUSTSEC-2023-0001","title":"reject_remote_clients Configuration corruption","description":"On Windows, configuring a named pipe server with [pipe_mode] will force [ServerOptions]::[reject_remote_clients] as `false`.\n\nThis drops any intended explicit configuration for the [reject_remote_clients] that may have been set as `true` previously.\n\nThe default setting of [reject_remote_clients] is normally `true` meaning the default is also overridden as `false`.\n\n## Workarounds\n\nEnsure that [pipe_mode] is set first after initializing a [ServerOptions]. For example:\n\n```rust\nlet mut opts = ServerOptions::new();\nopts.pipe_mode(PipeMode::Message);\nopts.reject_remote_clients(true);\n```\n\n[ServerOptions]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html\n[pipe_mode]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.pipe_mode\n[reject_remote_clients]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.reject_remote_clients","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tokio","labels":["CVE-2023-22466","GHSA-7rrj-xr53-82p7"],"created_at":"2026-04-19T04:32:01.693464+00:00","updated_at":"2026-04-19T04:32:01.693464+00:00"},{"id":859,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.9.0","fixed_version":"1.13.1","bug_id":"osv:RUSTSEC-2021-0124","title":"Data race when sending and receiving after closing a `oneshot` channel","description":"If a `tokio::sync::oneshot` channel is closed (via the\n[`oneshot::Receiver::close`] method), a data race may occur if the\n`oneshot::Sender::send` method is called while the corresponding\n`oneshot::Receiver` is `await`ed or calling `try_recv`.\n\nWhen these methods are called concurrently on a closed channel, the two halves\nof the channel can concurrently access a shared memory location, resulting in a\ndata race. This has been observed to [cause memory corruption][corruption].\n\nNote that the race only occurs when **both** halves of the channel are used\nafter the `Receiver` half has called `close`. Code where `close` is not used, or where the\n`Receiver` is not `await`ed and `try_recv` is not called after calling `close`,\nis not affected.\n\nSee [tokio#4225][issue] for more details.\n\n[corruption]: https://github.com/tokio-rs/tokio/issues/4225#issuecomment-967434847\n[issue]: https://github.com/tokio-rs/tokio/issues/4225\n[`oneshot::Receiver::close`]: https://docs.rs/tokio/1.14.0/tokio/sync/oneshot/struct.Receiver.html#method.close","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tokio","labels":["CVE-2021-45710","GHSA-fg7r-2g4j-5cgr"],"created_at":"2026-04-19T04:32:01.692952+00:00","updated_at":"2026-04-19T04:32:01.692952+00:00"},{"id":858,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.8.0","fixed_version":"1.8.1","bug_id":"osv:RUSTSEC-2021-0072","title":"Task dropped in wrong thread when aborting `LocalSet` task","description":"When aborting a task with `JoinHandle::abort`, the future is dropped in the\nthread calling abort if the task is not currently being executed. This is\nincorrect for tasks spawned on a `LocalSet`.\n\nThis can easily result in race conditions as many projects use `Rc` or `RefCell`\nin their Tokio tasks for better performance.\n\nSee [tokio#3929][issue] for more details.\n\n[issue]: https://github.com/tokio-rs/tokio/issues/3929","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tokio","labels":["CVE-2021-38191","GHSA-2grh-hm3w-w7hv"],"created_at":"2026-04-19T04:32:01.692467+00:00","updated_at":"2026-04-19T04:32:01.692467+00:00"},{"id":855,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.7.0","fixed_version":"1.18.4","bug_id":"osv:GHSA-7rrj-xr53-82p7","title":"Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe","description":"### Impact\n\nWhen configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. This also applies if `reject_remote_clients` is not explicitly set as this is the default configuration and is cleared by calling `pipe_mode`.\n\nRemote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).\n\n### Patches\n\nThe following versions have been patched:\n* 1.23.1\n* 1.20.3\n* 1.18.4\n\nThe fix will also be present in all releases starting from version 1.24.0.\n\nNamed pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.\n\n### Workarounds\n\nEnsure that `pipe_mode` is set **first** after initializing a `ServerOptions`. For example:\n\n```rust\nlet mut opts = ServerOptions::new();\nopts.pipe_mode(PipeMode::Message);\nopts.reject_remote_clients(true);\n```\n\n### References\n\nhttps://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7","labels":["CVE-2023-22466","RUSTSEC-2023-0001"],"created_at":"2026-04-19T04:32:01.691083+00:00","updated_at":"2026-04-19T04:32:01.691083+00:00"},{"id":853,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.8.0","fixed_version":"1.8.1","bug_id":"osv:GHSA-2grh-hm3w-w7hv","title":"Race condition in tokio","description":"When aborting a task with JoinHandle::abort, the future is dropped in the thread calling abort if the task is not currently being executed. This is incorrect for tasks spawned on a LocalSet. This can easily result in race conditions as many projects use Rc or RefCell in their Tokio tasks for better performance.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38191","labels":["CVE-2021-38191","RUSTSEC-2021-0072"],"created_at":"2026-04-19T04:32:01.689635+00:00","updated_at":"2026-04-19T04:32:01.689635+00:00"},{"id":9,"ecosystem":"cargo","package_name":"tokio","affected_version":"<1.38.1","fixed_version":"1.38.1","bug_id":"github:#6774","title":"Possible panic in broadcast channel receiver","description":"A race condition could cause a panic when the broadcast channel was dropped with pending receivers. Fixed in 1.38.1.","severity":"medium","status":"closed","source":"github_issues","source_url":"https://github.com/tokio-rs/tokio/issues/6774","labels":["bug","concurrency"],"created_at":"2026-04-19T02:03:59.605234+00:00","updated_at":"2026-04-19T02:03:59.605234+00:00"},{"id":857,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.44.0","fixed_version":"1.44.2","bug_id":"osv:GHSA-rr8g-9fpq-6wmg","title":"Tokio broadcast channel calls clone in parallel, but does not require `Sync`","description":"The broadcast channel internally calls `clone` on the stored value when receiving it, and only requires `T:Send`. This means that using the broadcast channel with values that are `Send` but not `Sync` can trigger unsoundness if the `clone` implementation makes use of the value being `!Sync`.\n\nThank you to Austin Bonander for finding and reporting this issue.","severity":"low","status":"fixed","source":"osv","source_url":"https://github.com/tokio-rs/tokio/pull/7232","labels":["RUSTSEC-2025-0023"],"created_at":"2026-04-19T04:32:01.692027+00:00","updated_at":"2026-04-19T04:32:01.692027+00:00"},{"id":854,"ecosystem":"cargo","package_name":"tokio","affected_version":"1.21.0","fixed_version":"1.24.2","bug_id":"osv:GHSA-4q83-7cq4-p6wg","title":"`tokio::io::ReadHalf<T>::unsplit` is Unsound","description":"`tokio::io::ReadHalf<T>::unsplit` can violate the `Pin` contract\n\nThe soundness issue is described in the [tokio/issues#5372](https://github.com/tokio-rs/tokio/issues/5372)\n\nSpecific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)\nis unusual, combined with the difficulty of making any arbitrary use-after-free\nexploitable in Rust without doing a lot of careful alignment of data types in\nthe surrounding code.\n\nThe `tokio` feature `io-util` is also required to be enabled to trigger this\nsoundness issue.\n\nThanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e\nand carllerche appropriately responding and fixing the soundness bug.\n\nTokio before 0.2.0 used `futures` 0.1 that did not have `Pin`, so it is not\naffected by this issue.\n","severity":"low","status":"fixed","source":"osv","source_url":"https://github.com/tokio-rs/tokio/issues/5372","labels":["RUSTSEC-2023-0005"],"created_at":"2026-04-19T04:32:01.690500+00:00","updated_at":"2026-04-19T04:32:01.690500+00:00"}],"total":11,"_cache":"miss"}