PT-2022-4836 · Unknown+2 · Crossbeam-Utils+2

Taiki-E

Published

2022-02-05

Updated

2023-02-10

CVE-2022-23639

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions crossbeam-utils versions prior to 0.8.7

Description The issue is related to the alignment of {i,u}64 and Atomic{I,U}64 in crossbeam-utils, which can cause unaligned memory accesses and data race on 32-bit targets. Crates using fetch * methods with AtomicCell<{i,u}64> are affected. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited.

Technical details about exploitation include:

The alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64.
fetch * methods with AtomicCell<{i,u}64> are affected.
32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected.

Recommendations For crossbeam-utils versions prior to 0.8.7, update to version 0.8.7 to resolve the issue. As a temporary workaround, consider avoiding the use of fetch * methods with AtomicCell<{i,u}64> until a patch is available. Restrict access to crates using fetch * methods with AtomicCell<{i,u}64> to minimize the risk of exploitation.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

AZL-41454

AZL-44763

AZL-61381

BDU:2022-05894

CVE-2022-23639

GHSA-QC84-GQF4-9926

RUSTSEC-2022-0041

Affected Products

Astra Linux

Debian

Crossbeam-Utils

PT-2022-4836 · Unknown+2 · Crossbeam-Utils+2

CVE-2022-23639

Weakness Enumeration

Related Identifiers

Affected Products

References · 22