CVE-2023-6180: 
Rust vulnerability analysis and mitigation

The tokio-boring library version 4.0.0 is affected by a memory leak vulnerability (CVE-2023-6180) that was discovered and disclosed in December 2023. The vulnerability affects the set_ex_data function in the library, which fails to properly deallocate memory after completing TLS connections (Vendor Advisory).

The vulnerability stems from a memory management issue where the set_ex_data function does not properly deallocate memory used by pre-existing data after completing TLS connections. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is classified under multiple CWE categories including CWE-401 (Missing Release of Memory after Effective Lifetime), CWE-404 (Improper Resource Shutdown or Release), and CWE-400 (Uncontrolled Resource Consumption) (NVD).

The vulnerability can lead to excessive resource consumption and potential Denial of Service (DoS) through resource exhaustion. Each new TLS connection causes the program to consume more resources as memory is not properly deallocated, leading to a progressive increase in memory usage over time (Vendor Advisory).

The vulnerability has been fixed in version 4.1.0 of tokio-boring. Users are advised to upgrade to this patched version to address the memory leak issue (Vendor Advisory).