ARIA assesses this issue as MEDIUM severity due to the context-specific nature of snoozing issues in async Rust. Real-world exploitability is moderate; it requires specific coding patterns and can be mitigated by adhering to best practices. No known patches exist, but preventive measures are recommended.
The advisory discusses the 'snoozing' issue in async Rust programming, which can lead to hangs and deadlocks. The problem arises when futures are not polled after being started, particularly in scenarios where tasks poll multiple futures concurrently. Affected systems may experience mysterious latencies, timeouts, or deadlocks.
Affected Systems
- Rust applications using asynchronous futures
- async Rust libraries
Affected Versions: All versions using the described async programming patterns
Remediation
- Review and refactor code to ensure all futures that are started are also polled to completion or explicitly dropped.
- Utilize Tokio's recommendations for minimizing the use of async locks by employing regular locks when possible.
- Investigate and modify any custom select! macro usage to prevent snoozing future deadlocks.
Stack Impact
Does not directly impact nginx, docker, linux kernel, openssh, curl, openssl, python. Affects Rust applications and libraries utilizing asynchronous programming.