## Tokio Broadcast Channel Security Patch Abandoned — Critical Unsoundness Risk Persists in Widely-Used Async Runtime
A pull request patching a memory safety vulnerability in the tokio async runtime has been abandoned, leaving a known unsoundness flaw in the broadcast channel component unresolved. The update to tokio v1.43.1, which addresses a soundness issue tracked as GHSA-rr8g-9fpq-6wmg, was marked abandoned without merged resolution, signaling that downstream projects depending on this critical Rust library may remain exposed to the vulnerability.

The flaw centers on how tokio's broadcast channel handles the `clone` operation when receiving stored values. The channel implementation only requires that stored types implement `Send`, not `Sync`. This creates a soundness violation when the channel is used with types that are `Send` but not `Sync`, provided their `clone` implementation relies on the value being `!Sync`. Austin Bonander identified and responsibly reported the issue. Version 1.43.1 contains the fix, but the dependency update PR carrying the patch was not completed.

Tokio is the de facto standard async runtime for Rust, powering a significant portion of production network services, distributed systems, and high-concurrency applications. The broadcast channel component is a core primitives module used for multi-consumer messaging patterns. The unpatched state raises risk for any project using broadcast channels with `Send`-only types whose `clone` implementations make assumptions about non-thread-safe access. No active exploitation has been reported, but the abandoned patch status means the vulnerability remains open in projects that pin to the affected version. Maintainers and security teams should audit tokio dependency versions and evaluate exposure in their specific code paths.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: tokio, rust, async-runtime, memory-safety, broadcast-channel
- **Credibility**: unverified
- **Published**: 2026-05-05 06:31:42
- **ID**: 79403
- **URL**: https://whisperx.ai/en/intel/79403