Use After Free Affecting oneshot package, versions <0.1.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-ONESHOT-15124957
- published28 Jan 2026
- disclosed27 Jan 2026
- creditUnknown
Introduced: 27 Jan 2026
CVE NOT AVAILABLE CWE-362 (opens in a new tab)How to fix?
Upgrade oneshot to version 0.1.12 or higher.
Overview
oneshot is an Oneshot spsc (single producer, single consumer) channel. Meaning each channel instance can only transport a single message. This has a few nice outcomes. One thing is that the implementation can be very efficient, utilizing the knowledge that there will only be one message. But more importantly, it allows the API to be expressed in such a way that certain edge cases that you don't want to care about when only sending a single message on a channel does not exist. For example: The sender can't be copied or cloned, and the send method takes ownership and consumes the sender. So you are guaranteed, at the type level, that there can only be one message sent.
The sender's send method is non-blocking, and potentially lock- and wait-free. See documentation on [Sender::send] for situations where it might not be fully wait-free. The receiver supports both lock- and wait-free try_recv as well as indefinite and time limited thread blocking receive operations. The receiver also implements Future and supports asynchronously awaiting the message.
Affected versions of this package are vulnerable to Use After Free via a race condition in the Receiver. An attacker can cause memory corruption or potentially execute arbitrary code by triggering the drop of a Receiver future while it is being polled, such as by cancelling the future or wrapping it in a timeout, which may result in use of freed memory if the Sender deallocates the channel before the Receiver completes its drop logic.