Memory Corruption Affecting thread_local package, versions <1.1.4
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-THREADLOCAL-2359987
- published 25 Jan 2022
- disclosed 23 Jan 2022
- credit Unknown
How to fix?
Upgrade thread_local to version 1.1.4 or higher.
Overview
thread_local is a library which allow a separate copy of an object to be used for each thread. This allows for per-object thread-local storage, unlike the standard library's thread_local! macro which only allows static thread-local storage.
Affected versions of this package are vulnerable to Memory Corruption via {Iter, IterMut}::next which uses a weaker memory ordering when loading values than what was required, exposing a potential data race when iterating over ThreadLocal's values.