CVE-2021-32810 – crossbeam-deque

Package

Manager: cargo
Name: crossbeam-deque
Vulnerable Version: >=0 <0.7.4 || >=0.8.0 <0.8.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01094 pctl0.77146

Details

crossbeam-deque Data Race before v0.7.4 and v0.8.1 ### Impact In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. ### Patches This has been fixed in crossbeam-deque 0.8.1 and 0.7.4. ### Credits This issue was reported and fixed by Maor Kleinberger. ### License This advisory is in the public domain.

Metadata

Created: 2021-08-25T21:01:15Z
Modified: 2022-08-10T23:46:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-pqqp-xmhj-wgcw/GHSA-pqqp-xmhj-wgcw.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-pqqp-xmhj-wgcw
Finding: F124
Auto approve: 1