Headline

GHSA-pg9f-39pc-qf8g: crossbeam-channel Vulnerable to Double Free on Drop

The internal Channel type’s Drop method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption.

Quoting from the upstream description in merge request #1187:

The problem lies in the fact that dicard_all_messages contained two paths that could lead to head.block being read but only one of them would swap the value. This meant that dicard_all_messages could end up observing a non-null block pointer (and therefore attempting to free it) without setting head.block to null. This would then lead to Channel::drop making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.

The fix is in upstream MR #1187 and has been published in 0.5.15

1 month ago

ghsa

Open in Source

#git

GitHub Advisory Database
GitHub Reviewed
GHSA-pg9f-39pc-qf8g

crossbeam-channel Vulnerable to Double Free on Drop

Moderate severity GitHub Reviewed Published Apr 10, 2025 to the GitHub Advisory Database • Updated Apr 10, 2025

Package

cargo crossbeam-channel (Rust)

Affected versions

>= 0.5.11, < 0.5.15

The internal Channel type’s Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.

Quoting from the
upstream description in merge request #1187:

The problem lies in the fact that dicard_all_messages contained two paths that could lead to head.block being read but only one of them would swap the value. This meant that dicard_all_messages could end up observing a non-null block pointer (and therefore attempting to free it) without setting head.block to null. This would then lead to Channel::drop making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in
upstream MR #1084,
first published in 0.5.12.

The fix is in
upstream MR #1187
and has been published in 0.5.15

References