CVE-2026-46690

Summary

Affected code (0.2.0, master at 23a9ce7)

// src/lib.rs:384-401
DISCONNECTED => {
  self.inner.counter.store (DISCONNECTED, Ordering::SeqCst);
  // We want to guarantee if a message was not received that we get it
  // back; since spsc::{Producer,Consumer} have the same
  // internal representation (as a singleton struct containing Arc
  // <Buffer <T>>), we can safely transmute the producer in order to
  // pop the message back if it was orphaned.
  unsafe {
   let consumer : spsc::Consumer <T>
    = std::mem::transmute (self.producer.get());   // <-- POINTER, not value
   let first  = consumer.try pop();
   let second  = consumer.try pop();
   assert!(second.is none());             // <-- line 396; smoking-gun assert
   if let Some(t) = first {
    return Err (SendError (t))
   }
  }
},
self.producer is UnsafeCell<spsc::Producer<T>> (line 29). UnsafeCell::<X>::get(&self) returns *mut X, a raw pointer, 8 bytes on 64-bit. The signature of transmute is transmute::<Src, Dst>(src: Src) -> Dst, so the call expands to transmute::<*mut spsc::Producer<T>, spsc::Consumer<T>>(self.producer.get()). 8 bytes of pointer are reinterpreted as the bytes of a Consumer<T>.

In bounded-spsc-queue-0.4.0, both Producer<T> and Consumer<T> are newtypes around Arc<Buffer<T>>, one pointer wide. The destination value therefore has Arc::ptr == &mut Producer<T> as *const ArcInner<Buffer<T>>. To be a valid Arc<Buffer<T>>, that pointer must point to ArcInner { strong: AtomicUsize, weak: AtomicUsize, data: Buffer<T> }, but it actually points to the start of Sender<T> (the producer field). The first 8 bytes there hold the real Arc::ptr. The fake Arc reads those bytes as strong count. The fake try pop() then reads Buffer<T> head/tail/data slots starting at offset 16 inside the Sender<T>, that is, inside the send new and inner fields.

The author's intent (per the comment at lines 386-390) was a value-level transmute:

let producer val: spsc::Producer<T> = std::ptr::read(self.producer.get());
let consumer  : spsc::Consumer<T> = std::mem::transmute(producer val);
which is layout-sound iff Producer<T> and Consumer<T> have identical layouts (they do, both are single-Arc newtypes). The shipped code is one indirection off.

Reachability
The branch is not reachable single-threaded. Receiver::drop (line 332) stores connected = false before setting counter = DISCONNECTED; Sender::send (line 359) early-returns on connected == false. The trigger is a TOCTOU race:

Sender's self.inner.connected.load(SeqCst) reads true.
Receiver-drop runs: stores connected = false and counter.compare exchange( , DISCONNECTED, SeqCst, SeqCst).
Sender's self.inner.counter.fetch add(1, SeqCst) (line 379) sees DISCONNECTED and enters the unsafe block.
Under heavy contention this reproduces ~3/10 trials in release mode.

Proof of concept (race shape)
// Cargo.toml: unbounded-spsc = "0.2"
use std::thread;
use unbounded spsc::channel;

fn main() {
  for trial in 0..500 {
    let (tx, rx) = channel::<Box<u64>>();
    let started = std::sync::Arc::new(
      std::sync::atomic::AtomicBool::new(false));
    let s = started.clone();
    let h = thread::spawn(move || {
      s.store(true, std::sync::atomic::Ordering::SeqCst);
      for  in 0..10 000 {
        let  = tx.send(Box::new(0xDEAD BEEF));
      }
    });
    while !started.load(std::sync::atomic::Ordering::SeqCst) {
      std::hint::spin loop();
    }
    drop(rx);
    let  = h.join();
    eprintln!("trial {trial} ok");
  }
}
Observed:

Release-mode (no sanitizer): Segmentation fault (core dumped) reliably within a few trials. The non-segfaulting trials are masked by the separate send new.send(new consumer).unwrap() panic, see Secondary defect below.
-Zsanitizer=address -Zbuild-std (nightly): ASan reports stack-buffer-overflow / stack-use-after-scope from the fake-Consumer's try pop walking off the Sender frame.
This matches the SIGSEGV reported in your own issue #3.

Smoking-gun upstream evidence
src/lib.rs:975 in the project's test suite carries a TODO:

// TODO: failures
// - failed with assertion on line 394 in send fn
//  assert!(second.is none())
That is the assertion site of the transmute block (line 396 in 0.2.0 / master). You have observed try pop() returning a non-None value where logically there should be none, which is exactly what reading random bytes from the Sender's send new / inner fields produces, and the symptom has been marked as a flaky test rather than recognised as UB.

Impact
Reachable from 100% safe Rust. Concrete UB primitives:

OOB read of bytes adjacent to the Sender<T> struct via fake Consumer<T>::try pop(). The popped T is returned through Err(SendError(t)) to safe-code, an allocator-layout-controlled leak of process memory.
OOB write via fake Arc::drop AtomicUsize::fetch sub on bytes that are actually the real Arc::ptr value of the Sender.
Allocator corruption via fake Arc::drop calling dealloc(Layout::for value(...)) on a non-allocated address. The Sender struct holds the real Arc<Inner> immediately after the producer field; the deallocator call therefore uses a layout the allocator never allocated, which on glibc is a confirmed double-free / arbitrary-bucket-poisoning primitive, and on hardened allocators (jemalloc-secure, mimalloc-secure) is an immediate abort.
Secondary defect (same call path, bonus)
Sender::send line 369:

self.send new.send(new consumer).unwrap();
When the Sender's message queue is full, a fresh bounded spsc queue::Channel is allocated and the new Consumer<T> is shipped over an std::sync::mpsc side-channel to the Receiver. If the Receiver has already been dropped, receive new is gone and this unwrap() panics. The panic surfaces in your own test suite, issue #2 (tests::port gone concurrent panicked at src/lib.rs:369) and the in-source TODO at lines 365-368 already note the question "Are we sure that this is safe to unwrap or should we handle the result explicitly ?".

The fix is to return Err(SendError(t)) instead of unwrapping, same shape as the channel-closed result the function already returns on the connected-false path. This is not a memory-safety defect, only a panic, but it lives on the same TX/RX-race code path and a single coordinated patch can address both. Filing it here so we cover the full call site in one cycle.

Suggested patch (primary defect)
Replace the pointer-as-value transmute with a value-level read and a ManuallyDrop to suppress the alias's Producer::drop on subsequent exit:

unsafe {
  use core::mem::ManuallyDrop;

  // Sound value-level transmute: Producer<T> and Consumer<T> are both
  // newtypes around Arc<Buffer<T>>, so the value layouts match.
  // ptr::read takes ownership of the Producer's bytes without running
  // Producer's Drop.
  let producer val: spsc::Producer<T> = std::ptr::read(self.producer.get());
  let consumer  : spsc::Consumer<T> = std::mem::transmute(producer val);

  let first = consumer.try pop();
  let second = consumer.try pop();
  assert!(second.is none());
  if let Some(t) = first {
    return Err(SendError(t));
  }

  // consumer drops here; the same memory backs `producer`, so suppress
  // the double Producer drop:
  let  = ManuallyDrop::new(consumer);
}
Cleaner: restructure Sender<T> to hold producer and consumer in a private enum Endpoint<T> so no transmute is required, or use the bounded spsc queue::Producer<T>::reclaim() escape hatch if available.

Suggested patch (secondary defect)
if let Err(std::sync::mpsc::SendError( )) = self.send new.send(new consumer) {
  // Receiver has been dropped: take the message back as the public
  // SendError, the same way the connected==false early-return does.
  return Err(SendError(t));
}
Regression test (release-mode, race shape)
#[test]
fn race disconnect does not corrupt sender or abort() {
  for  in 0..200 {
    let (tx, rx) = unbounded spsc::channel::<Box<u64>>();
    let h = std::thread::spawn(move || {
      for  in 0..10 000 {
        let  = tx.send(Box::new(0xDEAD BEEF));
      }
    });
    drop(rx);
    h.join().unwrap();
  }
}
Reverse dependencies
Two crates on crates.io depend on unbounded-spsc, both owned by you: apis (process-calculus framework) and gooey-rs (tile-UI library, unbounded-spsc gated behind opengl/fmod features). The OpenGL/FMOD callback-mailbox use is a natural rx-drop-during-tx-send scenario at scene-graph teardown. A single coordinated bump cycle is feasible.

Researcher
Berkant Koc me@berkoc.com
PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6