GoogleOSV:GHSA-PQQP-XMHJ-WGCWcrossbeam-deque Data Race before v0.7.4 and v0.8.1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%
Impact
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.
Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.
Patches
This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
Credits
This issue was reported and fixed by Maor Kleinberger.
License
This advisory is in the public domain.
| CPE | Name | Operator | Version |
|---|---|---|---|
| crossbeam-deque | lt | 0.7.4 | |
| crossbeam-deque | lt | 0.8.1 | |
| crossbeam-deque | ge | 0.8.0 |
References
github.com/crossbeam-rs/crossbeam
github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
lists.fedoraproject.org/archives/list/[email protected]/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N
lists.fedoraproject.org/archives/list/[email protected]/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP
lists.fedoraproject.org/archives/list/[email protected]/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU
lists.fedoraproject.org/archives/list/[email protected]/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE
lists.fedoraproject.org/archives/list/[email protected]/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK
lists.fedoraproject.org/archives/list/[email protected]/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE
lists.fedoraproject.org/archives/list/[email protected]/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT
lists.fedoraproject.org/archives/list/[email protected]/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR
lists.fedoraproject.org/archives/list/[email protected]/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26
lists.fedoraproject.org/archives/list/[email protected]/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO
lists.fedoraproject.org/archives/list/[email protected]/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF
lists.fedoraproject.org/archives/list/[email protected]/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP
lists.fedoraproject.org/archives/list/[email protected]/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP
lists.fedoraproject.org/archives/list/[email protected]/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE
nvd.nist.gov/vuln/detail/CVE-2021-32810
rustsec.org/advisories/RUSTSEC-2021-0093.html
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%