GHSA-pg9f-39pc-qf8g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pg9f-39pc-qf8g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-pg9f-39pc-qf8g/GHSA-pg9f-39pc-qf8g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pg9f-39pc-qf8g
- Related
- Published
- 2025-04-10T14:30:39Z
- Modified
- 2025-04-10T14:30:39Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- crossbeam-channel Vulnerable to Double Free on Drop
- Details
-
The internal
Channeltype'sDropmethod has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption.Quoting from the upstream description in merge request #1187:
The problem lies in the fact that
dicard_all_messagescontained two paths that could lead tohead.blockbeing read but only one of them would swap the value. This meant thatdicard_all_messagescould end up observing a non-null block pointer (and therefore attempting to free it) without settinghead.blockto null. This would then lead toChannel::dropmaking a second attempt at dropping the same pointer.The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.
The fix is in upstream MR #1187 and has been published in 0.5.15
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-415" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-10T14:30:39Z" }- References
Affected packages
crates.io / crossbeam-channel
Package
- Name
- crossbeam-channel
- View open source insights on deps.dev
- Purl
- pkg:cargo/crossbeam-channel