{"id":"RUSTSEC-2026-0005","summary":"Potential use-after-free in `oneshot` when used asynchronously","details":"There is a race condition that can lead to a use-after-free if a `oneshot::Receiver` is polled but then dropped instead of polled to completion. This could happen if the receiver future was cancelled while receiving, for example by being wrapped in a timeout future or similar.\n\nWhen the `Receiver` is polled (`Future::poll`) it writes a waker to the channel and sets it to the `RECEIVING` state. If the `Receiver` was then dropped (instead of polled to completion), the `Drop` implementation on `Receiver` unconditionally swapped the channel state to `DISCONNECTED` and only after doing so it read back its waker from the heap allocation and dropped it. The problem is that the `DISCONNECTED` state could be observed by the `Sender`, which would lead to it deallocating the channel heap memory. If the `Sender` manage to free the channel before the `Receiver` managed to proceed to dropping the waker, then the `Receiver` would read from the freed channel memory (use-after-free).\n\nThe fix was submitted in https://github.com/faern/oneshot/pull/74 and published as part of `oneshot` version `0.1.12`.","aliases":["GHSA-rvr2-r3pv-5m4p"],"modified":"2026-01-27T06:11:17.438685Z","published":"2026-01-25T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/oneshot"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0005.html"},{"type":"REPORT","url":"https://github.com/faern/oneshot/issues/73"}],"affected":[{"package":{"name":"oneshot","ecosystem":"crates.io","purl":"pkg:cargo/oneshot"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.1.2-0"},{"fixed":"0.1.12"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"functions":[],"arch":[]}},"database_specific":{"categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0005.json","informational":"unsound","cvss":null}}],"schema_version":"1.7.3"}