Bug 2358890 (CVE-2025-4574, GHSA-pg9f-39pc-qf8g) - CVE-2025-4574 crossbeam-channel: crossbeam-channel Vulnerable to Double Free on Drop
Summary: CVE-2025-4574 crossbeam-channel: crossbeam-channel Vulnerable to Double Free ...
Keywords:
Status: NEW
Alias: CVE-2025-4574, GHSA-pg9f-39pc-qf8g
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2366524 2366525 2366526 2366527 2366528 2366529 2366530 2366531 2366532 2366533 2366534 2366535 2366536 2366537 2366538 2366539 2366542 2366543 2366544 2366545 2366546 2366547 2366548 2366549 2366550 2366551 2366552 2366553 2366554 2366555 2366556 2366557 2366558 2366559 2366560 2366561 2366562 2366563 2366564 2366565 2366566 2366572 2366573 2366575 2366576 2366577 2366578 2366579 2366580 2366581 2366540 2366541 2366567 2366568 2366569 2366570 2366571
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-10 16:02 UTC by OSIDB Bzimport
Modified: 2025-05-15 14:36 UTC (History)
36 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-10 16:02:23 UTC 
The internal `Channel` type's `Drop` method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.

Quoting from the
[upstream description in merge request \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):

> The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in
upstream [MR \#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),
first published in 0.5.12.

The fix is in
upstream [MR \#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)
and has been published in 0.5.15
Note You need to log in before you can comment on or make changes to this bug.