Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10368

once_cell is vulnerable to Use of Uninitialized Resource

Use of Uninitialized Resource Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Mar 17, 2026

48

Medium Risk

This Affects:

RUSTonce_cell
1.12.0 - 1.21.3
Fixed in 1.21.4
Are you affected? Scan for Free

TL;DR

Affected versions of this package are affected by a memory safety vulnerability in OnceCell::wait when the parking_lot feature is enabled. Under certain race conditions where one thread calls wait() while another thread attempts initialization using get_or_try_init, a panic during initialization may cause wait() to return even though initialization did not complete. As a result, the waiting thread may observe the cell as initialized while it actually contains uninitialized memory, leading to undefined behavior. The issue is addressed by correcting the synchronization logic to ensure wait() only returns after successful initialization.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

once_cell is vulnerable to Use of Uninitialized Resource in versions 1.12.0 - 1.21.3.

How to fix this

Upgrade the once_cell library to the patch version

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done