RUSTSEC-2021-0093

See a problem?

Source

https://rustsec.org/advisories/RUSTSEC-2021-0093

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0093.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2021-0093

Aliases

Published

2021-07-30T12:00:00Z

Modified

2023-11-01T04:55:31.574454Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Data race in crossbeam-deque

Details

In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.

Credits to @kmaork for discovering, reporting and fixing the bug.

References

Affected packages

crates.io / crossbeam-deque

Package

Name: crossbeam-deque; View open source insights on deps.dev
Purl: pkg:cargo/crossbeam-deque

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.7.4

Introduced

0.8.0

Fixed

0.8.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}