VulnerableCode Package Details - pkg:cargo/crossbeam-channel@0.5.11

Search for packages

Vulnerability	Summary	Fixed by
VCID-91p7-6brm-y3br Aliases: CVE-2025-4574 GHSA-pg9f-39pc-qf8g	crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15	0.5.15 Affected by 0 other vulnerabilities.
VCID-zgn9-p6eq-83g1 Aliases: GHSA-w443-5h3j-jqcp	Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.	0.5.15 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-91p7-6brm-y3br
Aliases:
CVE-2025-4574
GHSA-pg9f-39pc-qf8g

crossbeam-channel Vulnerable to Double Free on Drop The internal `Channel` type's `Drop` method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the [upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131): > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer. The bug was introduced while fixing a memory leak, in upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084), first published in 0.5.12. The fix is in upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187) and has been published in 0.5.15

0.5.15
Affected by 0 other vulnerabilities.

VCID-zgn9-p6eq-83g1
Aliases:
GHSA-w443-5h3j-jqcp

Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

0.5.15
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-03T13:02:17.970046+00:00	GHSA Importer	Affected by	VCID-zgn9-p6eq-83g1	https://github.com/advisories/GHSA-w443-5h3j-jqcp	37.0.0
2025-08-03T13:02:05.027989+00:00	GHSA Importer	Affected by	VCID-91p7-6brm-y3br	https://github.com/advisories/GHSA-pg9f-39pc-qf8g	37.0.0

2025-08-03T13:02:17.970046+00:00

GHSA Importer

Affected by

VCID-zgn9-p6eq-83g1

https://github.com/advisories/GHSA-w443-5h3j-jqcp

37.0.0

2025-08-03T13:02:05.027989+00:00

GHSA Importer

Affected by

VCID-91p7-6brm-y3br

https://github.com/advisories/GHSA-pg9f-39pc-qf8g

37.0.0

Next non-vulnerable version	0.5.15
Latest non-vulnerable version	0.5.15
Risk	3.1