GHSA-w59h-378f-2frm: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-w59h-378f-2frm) affects the threadalone Rust crate versions prior to 0.2.1, discovered and disclosed in January 2024. The issue allows non-Send types to be unsoundly sent across threads, potentially leading to undefined behavior. This vulnerability was identified when stderr write operations performed by the threadalone crate fail, such as when stderr is redirected to a full filesystem or when stderr is a closed pipe (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a flaw in the Drop implementation where non-Send types can be executed on a different thread than where they were created. The issue manifests when stderr write operations fail, bypassing the intended thread safety checks. The Drop implementation was designed to either drop T if on the correct thread or print and abort if on an incorrect thread, but due to the use of eprintln! macro which can panic, the actual behavior allows dropping T and unwinding when stderr is not writable on an incorrect thread (GitHub Issue).

The vulnerability can lead to undefined behavior in several scenarios. When used with pthread-based MutexGuard, it results in undefined behavior. Similarly, when used with Rc types, it can cause data races on reference counts, also leading to undefined behavior. These issues can potentially result in memory corruption and segmentation faults in safe Rust code (RustSec Advisory).

The vulnerability has been patched in version 0.2.1 of the threadalone crate. Users are advised to upgrade to this version or later to address the issue (GitHub Advisory).