PT-2020-4833 · Crossbeam+3 · Crossbeam-Channel+3

Taiki-E

Published

2020-06-26

Updated

2024-12-12

CVE-2020-15254

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: crossbeam-channel versions prior to 0.4.4

Description: The issue is related to the bounded channel in the crossbeam-channel library, which incorrectly assumes that Vec::from iter allocates capacity equal to the number of iterator elements. However, Vec::from iter may allocate extra memory, leading to unsound deallocation with incorrect capacity when reconstructing Vec from a raw pointer. This can cause issues with memory management.

Recommendations: For versions prior to 0.4.4, upgrade to crossbeam-channel 0.4.4 to fix the issue. As a temporary workaround, consider avoiding the use of the bounded channel until the upgrade is possible.

Exploit

Fix

Buffer Overflow

Memory Leak

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-131CWE-119CWE-401

Related Identifiers

ALT-PU-2020-3120

ALT-PU-2021-3368

BDU:2020-05387

CVE-2020-15254

GHSA-M8H8-V6JH-C762

GHSA-V5M7-53CV-F3HX

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

RUSTSEC-2020-0052

USN-4599-1

USN-4599-2

USN-4599-3

Affected Products

Alt Linux

Linuxmint

Ubuntu

Crossbeam-Channel

PT-2020-4833 · Crossbeam+3 · Crossbeam-Channel+3

CVE-2020-15254

Weakness Enumeration

Related Identifiers

Affected Products

References · 1909