VulnerableCode Package Details - pkg:cargo/crossbeam-channel@0.4.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-hdx5-y848-3ke8 Aliases: CVE-2020-35904 GHSA-m8h8-v6jh-c762	Incorrect buffer size in crossbeam-channel The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.	0.4.4 Affected by 0 other vulnerabilities.
VCID-qdxa-nfnh-zkfa Aliases: CVE-2020-15254 GHSA-v5m7-53cv-f3hx	In the crossbeam rust crate, the bounded channel incorrectly assumed that Vec::from_iter had allocated capacity that was the same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumptions - this is unsound and caused a deallocation with the incorrect capacity when Vec::from_iter had allocated different sizes than the number of iterator elements. The impact on Firefox is undetermined, but in another use case, the behavior was causing corruption of jemalloc structures.	0.4.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hdx5-y848-3ke8
Aliases:
CVE-2020-35904
GHSA-m8h8-v6jh-c762

Incorrect buffer size in crossbeam-channel The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.

0.4.4
Affected by 0 other vulnerabilities.

VCID-qdxa-nfnh-zkfa
Aliases:
CVE-2020-15254
GHSA-v5m7-53cv-f3hx

In the crossbeam rust crate, the bounded channel incorrectly assumed that Vec::from_iter had allocated capacity that was the same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumptions - this is unsound and caused a deallocation with the incorrect capacity when Vec::from_iter had allocated different sizes than the number of iterator elements. The impact on Firefox is undetermined, but in another use case, the behavior was causing corruption of jemalloc structures.

0.4.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-a7bt-fvvu-tkcq	Channel creates zero value of any type Affected versions of this crate called `mem::zeroed()` to create values of a user-supplied type `T`. This is unsound e.g. if `T` is a reference type (which must be non-null). The flaw was corrected by avoiding the use of `mem::zeroed()`, using `MaybeUninit` instead.	GHSA-9g55-pg62-m8hh

Vulnerability

Summary

Aliases

VCID-a7bt-fvvu-tkcq

Channel creates zero value of any type Affected versions of this crate called `mem::zeroed()` to create values of a user-supplied type `T`. This is unsound e.g. if `T` is a reference type (which must be non-null). The flaw was corrected by avoiding the use of `mem::zeroed()`, using `MaybeUninit` instead.

GHSA-9g55-pg62-m8hh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T13:39:33.708714+00:00	GHSA Importer	Affected by	VCID-qdxa-nfnh-zkfa	https://github.com/advisories/GHSA-v5m7-53cv-f3hx	37.0.0
2025-08-01T13:39:26.673028+00:00	GHSA Importer	Affected by	VCID-hdx5-y848-3ke8	https://github.com/advisories/GHSA-m8h8-v6jh-c762	37.0.0
2025-07-31T12:34:27.085182+00:00	GHSA Importer	Fixing	VCID-a7bt-fvvu-tkcq	https://github.com/advisories/GHSA-9g55-pg62-m8hh	37.0.0