PT-2021-4464 · Crates.Io+9 · Crossbeam-Deque+9
Maor Kleinberger
·
Published
2021-07-30
·
Updated
2024-12-12
·
CVE-2021-32810
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
crossbeam-deque versions prior to 0.7.4 and 0.8.0
Description
The issue is caused by a race condition that can result in one or more tasks in the worker queue being popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using
Stealer::steal, Stealer::steal batch, or Stealer::steal batch and pop are affected by this issue.Recommendations
For crossbeam-deque versions prior to 0.7.4, update to version 0.7.4 or later.
For crossbeam-deque versions prior to 0.8.0, update to version 0.8.1 or later.
As a temporary workaround, consider restricting the use of
Stealer::steal, Stealer::steal batch, and Stealer::steal batch and pop until a patch is available.Exploit
Fix
Use After Free
Race Condition
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Crossbeam-Deque