CVE-2025-4574
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3Description
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
Analysis
Double-free vulnerability in crossbeam-channel Rust crate's Channel Drop implementation allows memory corruption via a race condition during cleanup, affecting remote network applications that depend on this widely-used concurrency library. The vulnerability requires no authentication or user interaction and can be triggered by unauthenticated remote attackers in networked Rust applications using vulnerable versions. No public exploit code has been identified at the time of analysis, though the issue presents a moderate real-world risk due to the library's prevalence in production Rust ecosystems and the EPSS score of 0.38% indicating low exploitation likelihood.
Technical Context
The crossbeam-channel crate is a fundamental Rust concurrency primitive that provides multi-producer, multi-consumer message-passing channels. The vulnerability resides in the Drop trait implementation of the internal Channel type, which manages cleanup of channel state and associated resources. CWE-415 (Double Free) occurs when a memory location is freed more than once, leading to heap corruption and potential code execution. The race condition in the Drop method likely stems from unsynchronized access to reference counts or channel state during concurrent cleanup operations, particularly when multiple threads attempt to drop the same channel resources simultaneously without proper synchronization primitives. This is especially critical in Rust's memory-safe language context, where unsafe code blocks are required to implement such low-level concurrency primitives, and improper synchronization can bypass Rust's borrow checker guarantees.
Affected Products
The crossbeam-channel Rust crate in versions prior to the patched release is affected, with the vulnerability originating in the Drop implementation of the Channel type. The exact affected version range is not specified in the provided data, but organizations using crossbeam-channel should consult the GitHub advisory (GHSA-pg9f-39pc-qf8g) and the upstream pull request (PR #1187 on crossbeam-rs/crossbeam) for precise version information. Any Rust application or library that depends on crossbeam-channel through cargo package management is potentially affected, including indirect dependencies throughout the Rust ecosystem.
Remediation
Update crossbeam-channel to the patched version released to address pull request #1187. Users should run 'cargo update crossbeam-channel' to pull the latest secure version, or explicitly update their Cargo.toml to the corrected version once released by the maintainers. Verify the patch by reviewing the upstream pull request at https://github.com/crossbeam-rs/crossbeam/pull/1187 for specific fixed version numbers. For organizations unable to immediately upgrade, implement additional runtime thread-safety auditing and avoid patterns that trigger rapid concurrent channel drops, though no complete workaround exists for the underlying race condition. Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-4574 and GitHub Advisory GHSA-pg9f-39pc-qf8g for distribution-specific patch availability.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today