VulnerableCode Package Details - pkg:cargo/crossbeam-channel@0.5.15

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7mwd-wjet-eqhd	Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.	GHSA-w443-5h3j-jqcp
VCID-7vj2-6tfw-3fd4	crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15	CVE-2025-4574 GHSA-pg9f-39pc-qf8g

Vulnerability

Summary

Aliases

VCID-7mwd-wjet-eqhd

Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

GHSA-w443-5h3j-jqcp

VCID-7vj2-6tfw-3fd4

crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15

CVE-2025-4574
GHSA-pg9f-39pc-qf8g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T04:57:47.590937+00:00	GHSA Importer	Fixing	VCID-7mwd-wjet-eqhd	https://github.com/advisories/GHSA-w443-5h3j-jqcp	38.1.0
2026-04-07T04:57:35.274086+00:00	GHSA Importer	Fixing	VCID-7vj2-6tfw-3fd4	https://github.com/advisories/GHSA-pg9f-39pc-qf8g	38.1.0

2026-04-07T04:57:47.590937+00:00

GHSA Importer

Fixing

VCID-7mwd-wjet-eqhd

https://github.com/advisories/GHSA-w443-5h3j-jqcp

38.1.0

2026-04-07T04:57:35.274086+00:00

GHSA Importer

Fixing

VCID-7vj2-6tfw-3fd4

https://github.com/advisories/GHSA-pg9f-39pc-qf8g

38.1.0