VYPR
← All advisories
High severityNVD Advisory· Published Dec 26, 2021· Updated Aug 4, 2024

CVE-2021-45710

CVE-2021-45710

Description

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A data race in Tokio's oneshot channel when the receiver is closed and concurrently sent to can lead to memory corruption.

Vulnerability

A data race exists in the tokio::sync::oneshot channel implementation in the Tokio crate for Rust, affecting versions before 1.8.4, 1.9.x through 1.13.x before 1.13.1, and 0.1.14 through 1.13.0 [1][3][4]. The race condition occurs when the oneshot::Receiver::close method is called and concurrently the oneshot::Sender::send method is invoked while the receiver is being awaited or calling try_recv on the already-closed channel [3][4]. This results in both halves of the channel accessing a shared memory location without proper synchronization [4].

Exploitation

An attacker does not require any special network position or authentication; the vulnerability is triggered purely by concurrent use of internal API calls within a single process [3][4]. The precise sequence is: the Receiver side calls close, and while the channel is in that closed state, the Sender side calls send at the same time that the Receiver is either awaited or performing a try_recv [3][4]. The race window is small and requires the two operations to overlap exactly, but it can be reliably reproduced [4]. No user interaction beyond normal program execution is needed if the attacker can influence code paths that invoke these methods concurrently.

Impact

Successful exploitation results in a data race that has been observed to cause memory corruption [3][4]. The concrete outcome could include undefined behavior, information disclosure, or program crashes, depending on the corrupted memory layout. Because this is a memory safety violation in an asynchronous runtime, it can potentially be leveraged for more severe outcomes such as arbitrary code execution, though the available references do not confirm that specific exploitability [4].

Mitigation

The vulnerability is patched in Tokio versions 1.8.4 (for the 1.8.x branch) and 1.13.1 (for the 1.13.x branch) [1][3][4]. Users should upgrade to at least >=1.8.4, <1.9.0 or >=1.13.1 [3][4]. There is no known workaround other than avoiding concurrent use of close and send on the same oneshot channel after the receiver has been closed, which may be impractical in complex codebases [3][4]. The advisory notes that the race only occurs when both halves of the channel are used after the Receiver has called close [4].

References
  1. NVD - CVE-2021-45710
  2. Data race when sending and receiving after closing a `oneshot` channel › RustSec Advisory Database
  3. https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0124.md

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tokiocrates.io
>= 0.1.14, < 1.8.41.8.4
tokiocrates.io
>= 1.9.0, < 1.13.11.13.1

Affected products

25

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.