ghsa-pg9f-39pc-qf8g
Vulnerability from github
The internal Channel type's Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.
Quoting from the upstream description in merge request #1187:
The problem lies in the fact that
dicard_all_messagescontained two paths that could lead tohead.blockbeing read but only one of them would swap the value. This meant thatdicard_all_messagescould end up observing a non-null block pointer (and therefore attempting to free it) without settinghead.blockto null. This would then lead toChannel::dropmaking a second attempt at dropping the same pointer.
The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.
The fix is in upstream MR #1187 and has been published in 0.5.15
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "crossbeam-channel"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.11"
},
{
"fixed": "0.5.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4574"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T14:30:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The internal `Channel` type\u0027s `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15",
"id": "GHSA-pg9f-39pc-qf8g",
"modified": "2025-05-15T18:26:52Z",
"published": "2025-04-10T14:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
},
{
"type": "PACKAGE",
"url": "https://github.com/crossbeam-rs/crossbeam"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "crossbeam-channel Vulnerable to Double Free on Drop"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.