Bug 2358890 (CVE-2025-4574, GHSA-pg9f-39pc-qf8g)

Summary: CVE-2025-4574 crossbeam-channel: crossbeam-channel Vulnerable to Double Free on Drop
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, bsmejkal, dbosanac, ehelms, ggainey, gkamathe, gotiwari, jachapma, jhorak, jkoehler, jreimann, juwatts, lball, lphiri, mdessi, mhulan, mrizzi, mvyas, ngough, nkathole, nmoumoul, osousa, pcattana, pcreech, progier, rchan, smallamp, spichugi, ssidhaye, tbordaz, teagle, tpopela, vashirov, veshanka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2366528, 2366529, 2366530, 2366531, 2366532, 2366533, 2366534, 2366535, 2366536, 2366537, 2366538, 2366543, 2366545, 2366546, 2366547, 2366552, 2366553, 2366554, 2366555, 2366556, 2366557, 2366558, 2366559, 2366560, 2366561, 2366562, 2366564, 2366575, 2366577, 2366578, 2366581, 2366524, 2366525, 2366526, 2366527, 2366539, 2366540, 2366541, 2366542, 2366544, 2366548, 2366549, 2366550, 2366551, 2366563, 2366565, 2366566, 2366567, 2366568, 2366569, 2366570, 2366571, 2366572, 2366573, 2366576, 2366579, 2366580    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-10 16:02:23 UTC 
The internal `Channel` type's `Drop` method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.

Quoting from the
[upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):

> The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in
upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),
first published in 0.5.12.

The fix is in
upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)
and has been published in 0.5.15