{"id":"CVE-2022-23639","summary":"Improper Restriction of Operations within the Bounds of a Memory Buffer and Race Condition in crossbeam-utils","details":"crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. However, the alignment of `{i,u}64` on a 32-bit target can be smaller than `Atomic{I,U}64`. This can cause unaligned memory accesses and data race. Crates using `fetch_*` methods with `AtomicCell\u003c{i,u}64\u003e` are affected by this issue. 32-bit targets without `Atomic{I,U}64` and 64-bit targets are not affected by this issue. This has been fixed in crossbeam-utils 0.8.7. There are currently no known workarounds.","aliases":["GHSA-qc84-gqf4-9926","RUSTSEC-2022-0041"],"modified":"2026-04-10T04:44:54.141394Z","published":"2022-02-15T18:20:10Z","database_specific":{"cwe_ids":["CWE-362"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23639.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-utils-0.8.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23639.json"},{"type":"ADVISORY","url":"https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23639"},{"type":"FIX","url":"https://github.com/crossbeam-rs/crossbeam/pull/781"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/crossbeam-rs/crossbeam","events":[{"introduced":"0"},{"fixed":"2988f873f87d2263a7fd2b9465fb9c28f43a6490"}]}],"versions":["0.2.10","crossbeam-0.5.0","crossbeam-0.6.0","crossbeam-0.7.0","crossbeam-0.7.1","crossbeam-0.7.2","crossbeam-0.7.3","crossbeam-0.8.0","crossbeam-0.8.1","crossbeam-channel-0.3.1","crossbeam-channel-0.3.2","crossbeam-channel-0.3.3","crossbeam-channel-0.3.4","crossbeam-channel-0.3.5","crossbeam-channel-0.3.6","crossbeam-channel-0.3.7","crossbeam-channel-0.3.8","crossbeam-channel-0.3.9","crossbeam-channel-0.4.0","crossbeam-channel-0.4.2","crossbeam-channel-0.4.3","crossbeam-channel-0.5.0","crossbeam-channel-0.5.1","crossbeam-channel-0.5.2","crossbeam-deque-0.6.2","crossbeam-deque-0.6.3","crossbeam-deque-0.7.0","crossbeam-deque-0.7.1","crossbeam-deque-0.7.2","crossbeam-deque-0.8.0","crossbeam-deque-0.8.1","crossbeam-epoch-0.6.1","crossbeam-epoch-0.7.0","crossbeam-epoch-0.7.1","crossbeam-epoch-0.7.2","crossbeam-epoch-0.8.0","crossbeam-epoch-0.8.2","crossbeam-epoch-0.9.0","crossbeam-epoch-0.9.1","crossbeam-epoch-0.9.2","crossbeam-epoch-0.9.3","crossbeam-epoch-0.9.4","crossbeam-epoch-0.9.5","crossbeam-epoch-0.9.6","crossbeam-queue-0.1.0","crossbeam-queue-0.1.1","crossbeam-queue-0.1.2","crossbeam-queue-0.2.0","crossbeam-queue-0.2.1","crossbeam-queue-0.3.0","crossbeam-queue-0.3.1","crossbeam-queue-0.3.2","crossbeam-queue-0.3.3","crossbeam-utils-0.6.0","crossbeam-utils-0.6.1","crossbeam-utils-0.6.2","crossbeam-utils-0.6.3","crossbeam-utils-0.6.4","crossbeam-utils-0.6.5","crossbeam-utils-0.6.6","crossbeam-utils-0.7.0","crossbeam-utils-0.7.2","crossbeam-utils-0.8.0","crossbeam-utils-0.8.1","crossbeam-utils-0.8.2","crossbeam-utils-0.8.3","crossbeam-utils-0.8.4","crossbeam-utils-0.8.5","crossbeam-utils-0.8.6","v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23639.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}