Vulnerability Details : CVE-2020-15254
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.
Vulnerability category: Overflow
Products affected by CVE-2020-15254
- cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15254
0.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15254
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2020-15254
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: security-advisories@github.com (Secondary)
-
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15254
-
https://github.com/RustSec/advisory-db/pull/425
Add advisory for UB in crossbeam-channel 0.4.3 by taiki-e · Pull Request #425 · RustSec/advisory-db · GitHubPatch;Third Party Advisory
-
https://github.com/crossbeam-rs/crossbeam/pull/533
Use Box<[T]> instead of Vec<T> to initialize and drop ArrayQueue by caelunshun · Pull Request #533 · crossbeam-rs/crossbeam · GitHubExploit;Patch;Third Party Advisory
-
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx
Undefined Behavior in bounded channel · Advisory · crossbeam-rs/crossbeam · GitHubThird Party Advisory
-
https://github.com/crossbeam-rs/crossbeam/issues/539
Memory Leak in crossbeam-queue ArrayQueue? (Latest git only, ver0.2.3 is not effected) · Issue #539 · crossbeam-rs/crossbeam · GitHubExploit;Third Party Advisory
Jump to