GHSA-x4mq-m75f-mx8m: 
Rust vulnerability analysis and mitigation

The windows crate (versions >= 0.1.2 and < 0.32.0) contained a critical vulnerability where delegate functions lacked the required Send bound, despite being potentially executed on different threads. This vulnerability was discovered on January 2, 2022, and was assigned the identifier GHSA-x4mq-m75f-mx8m. The issue affected the Windows API bindings in Rust, specifically impacting event handler implementations (RustSec Advisory).

The vulnerability stemmed from the absence of the Send trait bound in delegate function implementations. Event handlers, particularly in cases like Direct3D11CaptureFramePool::CreateFreeThreaded, could be executed on worker threads different from where they were created. The implementation allowed safe code to send non-Send types across thread boundaries, which violates Rust's thread safety guarantees. The issue was fixed in version 0.32.0 by adding the ::core::marker::Send bound to delegate function signatures (GitHub Issue).

This vulnerability could lead to data races and undefined behavior in multi-threaded applications using the windows crate. The issue was particularly problematic when using event handlers that could be invoked from different threads, potentially causing memory corruption or thread safety violations when handling non-thread-safe types (RustSec Advisory).

The issue was resolved in version 0.32.0 of the windows crate by adding the required Send bound to delegate functions. Users should upgrade to version 0.32.0 or later to ensure thread safety. The fix was implemented through commit afe3252, which added the ::core::marker::Send trait bound to all delegate function signatures (RustSec Advisory).