CVE-2021-38191
Description
An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In tokio before 1.8.1, aborting a LocalSet task via JoinHandle::abort drops the future in the wrong thread, leading to race conditions and potential memory corruption.
Vulnerability
An issue exists in the tokio crate (versions 0.3.0 up to but not including 1.8.1) where calling JoinHandle::abort on a task spawned within a LocalSet drops the associated future in the thread that invoked abort, rather than in the task's original runtime thread [1][3]. This violates thread-safety guarantees for !Send types such as Rc or RefCell [3][4]. The affected function is tokio::task::JoinHandle::abort, and the bug is present in all tokio versions from 0.3.0 until 1.8.0 inclusive [3].
Exploitation
An attacker (or a malicious local actor) who can control the thread from which JoinHandle::abort is called—for example, by spawning a helper thread that calls abort on a LocalSet task handle—can trigger the drop of a !Send future in an unintended thread [4]. The exploit relies on the fact that abort immediately drops the future if the task is not currently executing; when the task is on a LocalSet, that drop occurs in the caller's thread instead of the LocalSet's runtime thread [4]. The attacker must have the ability to call abort from a thread different from the LocalSet worker thread [4].
Impact
Successful exploitation causes a task's future (and any resources it holds) to be dropped in the wrong thread [1][3]. For !Send types like Rc or RefCell, this can lead to data races, undefined behavior, and memory corruption [3][4]. In practice, this undermines the safety guarantees provided by Rust's ownership and thread-safety model, potentially allowing memory unsafety in applications that rely on LocalSet for thread-local tasks [4].
Mitigation
The vulnerability is fixed in tokio versions 1.8.1, 1.7.2, 1.6.3, and 1.5.1 [3]. Users should upgrade to the latest patched version (≥1.8.1) for their major release line [3]. No workaround is available for unpatched versions; avoiding the use of JoinHandle::abort on LocalSet‑spawned tasks can prevent exploitation, but this is not a complete mitigation because other code paths may inadvertently trigger the abort [3]. The advisory is listed in the RustSec database (RUSTSEC-2021-0072) [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tokiocrates.io | >= 1.8.0, < 1.8.1 | 1.8.1 |
tokiocrates.io | >= 1.7.0, < 1.7.2 | 1.7.2 |
tokiocrates.io | >= 1.6.0, < 1.6.3 | 1.6.3 |
tokiocrates.io | >= 0.3.0, < 1.5.1 | 1.5.1 |
Affected products
2- tokio/tokiodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2grh-hm3w-w7hvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38191ghsaADVISORY
- github.com/tokio-rs/tokio/issues/3929ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0072.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0072.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.