GHSA-2qv5-7mw5-j3cg: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was discovered in the spin-rs Rust package affecting versions 0.9.3 through 0.9.8. The vulnerability, identified as GHSA-2qv5-7mw5-j3cg, involves unsoundness in the Once::try_call_once function when it is invoked concurrently and initialization fails. The issue was published and reviewed on April 3, 2023 (GitHub Advisory, RustSec Advisory).

The vulnerability occurs in the Once::try_call_once function when multiple threads attempt to access the Once instance simultaneously and initialization fails. The function incorrectly assumes that the state can only transition from running to either complete or panicked, failing to account for scenarios where the once function returns an error and reverts to an incomplete state. In debug builds, this results in a panic, while in release builds it leads to undefined behavior through an unreachable() call (Spin-RS Issue).

When exploited, this vulnerability can lead to undefined behavior in release builds of applications using the affected versions of spin-rs. This is particularly concerning in concurrent scenarios where multiple threads attempt initialization, and any initialization attempt fails (GitHub Advisory).

The vulnerability has been patched in version 0.9.8 of the spin-rs package. Users are advised to upgrade to this version or later to address the issue. Versions prior to 0.9.3 are not affected by this vulnerability (RustSec Advisory).