Invalid tokens returned for named pipes in mio under Windows, potentially leading to use-after-free in Tokio

CVE-2024-27308

What is CVE-2024-27308?

The vulnerability in the Mio Metal I/O library for Rust manifests when named pipes are utilized on Windows platforms. Under certain conditions, Mio may return invalid tokens for named pipes that have previously been deregistered. This condition heightens the risk of a use-after-free scenario, especially for applications that retain pointers within these tokens. While applications that ignore invalid tokens may encounter warnings or crashes, those storing pointers can face more severe consequences. This issue is particularly concerning for users of Tokio, as the interaction between vulnerable versions of Mio (between v0.7.2 and v0.8.10) and Tokio v1.30.0 or higher can lead to critical application failures. Despite the existence of workarounds for some libraries that leverage Mio, the defined vulnerability emphasizes the importance of updating to the patched version, mio v0.8.11, to maintain application integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References