Add advisory for loom: Lazy::get can return a dangling &'static reference

[yilin0518]

Affected crate(s)

• loom (7,612,927 recent downloads on crates.io)

Links to upstream issue(s) or PR(s)

• issue: Potential soundness issue in loom::lazy_static::Lazy::get returning static reference beyond execution lifetime tokio-rs/loom#406
• related PR: Fix #406 tokio-rs/loom#410

Severity

Soundness issue: Lazy::get returns a 'static reference that can outlive the loom model execution scope, leading to a dangling reference/use-after-free in safe code.

Checklist

• Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
• date field is set to the public disclosure date
• Contains a concise and descriptive title after advisory metadata
• Asked maintainer(s) if publishing an advisory is appropriate

The issue has been public for more than two months without upstream response.

[djc]

Pinged the Discord channel about this one to see if we can make some progress.

[djc]

loom is intended to a be a testing tool; therefore, UB should not be relevant for production deployments.