{"id":"RUSTSEC-2025-0024","summary":"crossbeam-channel: double free on Drop","details":"The internal `Channel` type's `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15","aliases":["CVE-2025-4574","GHSA-pg9f-39pc-qf8g","TROVE-2025-013"],"modified":"2025-10-28T06:29:00.070713Z","published":"2025-04-08T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/crossbeam-channel"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0024.html"},{"type":"WEB","url":"https://github.com/crossbeam-rs/crossbeam/pull/1187"}],"affected":[{"package":{"name":"crossbeam-channel","ecosystem":"crates.io","purl":"pkg:cargo/crossbeam-channel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.5.12-0"},{"fixed":"0.5.15"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0024.json","cvss":null,"categories":["memory-corruption"],"informational":null}}],"schema_version":"1.7.3"}