GHSA-c8v3-jhv9-4ppc: 
Rust vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in rust-i18n-support package versions 3.0.0 to 3.0.1. The vulnerability was introduced in version 3.0.0 with the implementation of AtomicStr type, which is used to store the current locale. The issue was discovered on January 19, 2024, and was officially disclosed on January 23, 2024, affecting the locale handling functionality in the package (RustSec Advisory).

The vulnerability stems from the AtomicStr type's implementation, which stores the locale as a raw pointer to an Arc. The critical flaw occurs in the AtomicStr::as_str() method, which does not increment the usage counter of the Arc. This implementation oversight means that when the locale is changed in one thread, another thread can end up with a stale reference to the stored string that may have already been freed (GitHub Advisory).

When exploited in a multi-threaded context, this vulnerability can lead to use-after-free conditions, potentially causing program crashes and memory corruption. The issue manifests particularly in scenarios where multiple threads simultaneously access and modify the locale settings (RustSec Advisory).

The vulnerability has been patched in version 3.0.1 of rust-i18n-support. The fix implements AtomicStr using arc_swap and triomphe::Arc to ensure thread-safe handling of the locale references. Users are strongly advised to upgrade to version 3.0.1 or later (GitHub Commit).