VulnerableCode Package Details - pkg:cargo/crossbeam-channel@0.5.15

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-91p7-6brm-y3br	crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15	CVE-2025-4574 GHSA-pg9f-39pc-qf8g
VCID-zgn9-p6eq-83g1	Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.	GHSA-w443-5h3j-jqcp

Vulnerability

Summary

Aliases

VCID-91p7-6brm-y3br

crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15

CVE-2025-4574
GHSA-pg9f-39pc-qf8g

VCID-zgn9-p6eq-83g1

Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

GHSA-w443-5h3j-jqcp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-03T13:02:17.974883+00:00	GHSA Importer	Fixing	VCID-zgn9-p6eq-83g1	https://github.com/advisories/GHSA-w443-5h3j-jqcp	37.0.0
2025-08-03T13:02:05.033694+00:00	GHSA Importer	Fixing	VCID-91p7-6brm-y3br	https://github.com/advisories/GHSA-pg9f-39pc-qf8g	37.0.0

2025-08-03T13:02:17.974883+00:00

GHSA Importer

Fixing

VCID-zgn9-p6eq-83g1

https://github.com/advisories/GHSA-w443-5h3j-jqcp

37.0.0

2025-08-03T13:02:05.033694+00:00

GHSA Importer

Fixing

VCID-91p7-6brm-y3br

https://github.com/advisories/GHSA-pg9f-39pc-qf8g

37.0.0