VulnerableCode Package Details - pkg:cargo/crossbeam-channel@0.4.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hdx5-y848-3ke8	Incorrect buffer size in crossbeam-channel The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.	CVE-2020-35904 GHSA-m8h8-v6jh-c762
VCID-qdxa-nfnh-zkfa	In the crossbeam rust crate, the bounded channel incorrectly assumed that Vec::from_iter had allocated capacity that was the same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumptions - this is unsound and caused a deallocation with the incorrect capacity when Vec::from_iter had allocated different sizes than the number of iterator elements. The impact on Firefox is undetermined, but in another use case, the behavior was causing corruption of jemalloc structures.	CVE-2020-15254 GHSA-v5m7-53cv-f3hx

Vulnerability

Summary

Aliases

VCID-hdx5-y848-3ke8

Incorrect buffer size in crossbeam-channel The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.

CVE-2020-35904
GHSA-m8h8-v6jh-c762

VCID-qdxa-nfnh-zkfa

In the crossbeam rust crate, the bounded channel incorrectly assumed that Vec::from_iter had allocated capacity that was the same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumptions - this is unsound and caused a deallocation with the incorrect capacity when Vec::from_iter had allocated different sizes than the number of iterator elements. The impact on Firefox is undetermined, but in another use case, the behavior was causing corruption of jemalloc structures.

CVE-2020-15254
GHSA-v5m7-53cv-f3hx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T13:39:33.713619+00:00	GHSA Importer	Fixing	VCID-qdxa-nfnh-zkfa	https://github.com/advisories/GHSA-v5m7-53cv-f3hx	37.0.0
2025-08-01T13:39:26.679133+00:00	GHSA Importer	Fixing	VCID-hdx5-y848-3ke8	https://github.com/advisories/GHSA-m8h8-v6jh-c762	37.0.0

2025-08-01T13:39:33.713619+00:00

GHSA Importer

Fixing

VCID-qdxa-nfnh-zkfa

https://github.com/advisories/GHSA-v5m7-53cv-f3hx

37.0.0

2025-08-01T13:39:26.679133+00:00

GHSA Importer

Fixing

VCID-hdx5-y848-3ke8

https://github.com/advisories/GHSA-m8h8-v6jh-c762

37.0.0