CVE-2024-27308

EPSS 0.72%
Veröffentlicht 06.03.2024 20:15:47
Zuletzt bearbeitet 04.12.2025 17:51:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable. Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mio Project ≫ Mio SwPlatformrust Version >= 0.7.2 <= 0.8.10

Tokio ≫ Tokio SwPlatformrust Version >= 1.30.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.716

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-672 Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

https://github.com/tokio-rs/mio/commit/90d4fe00df870acd3d38f3dc4face9aacab8fbb9

Patch

https://github.com/tokio-rs/mio/pull/1760

Issue Tracking

https://github.com/tokio-rs/mio/security/advisories/GHSA-r8w9-5wcg-vfj7

Vendor Advisory

https://github.com/tokio-rs/tokio/issues/6369

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-27308

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27308

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27308

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-27308