Rust CVE-2025-4574
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
In crossbeam-channel rust crate, the internal Channel type's Drop method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
AnalysisAI
Double-free vulnerability in crossbeam-channel Rust crate's Channel Drop implementation allows memory corruption via a race condition during cleanup, affecting remote network applications that depend on this widely-used concurrency library. The vulnerability requires no authentication or user interaction and can be triggered by unauthenticated remote attackers in networked Rust applications using vulnerable versions. No public exploit code has been identified at the time of analysis, though the issue presents a moderate real-world risk due to the library's prevalence in production Rust ecosystems and the EPSS score of 0.38% indicating low exploitation likelihood.
Technical ContextAI
The crossbeam-channel crate is a fundamental Rust concurrency primitive that provides multi-producer, multi-consumer message-passing channels. The vulnerability resides in the Drop trait implementation of the internal Channel type, which manages cleanup of channel state and associated resources. CWE-415 (Double Free) occurs when a memory location is freed more than once, leading to heap corruption and potential code execution. The race condition in the Drop method likely stems from unsynchronized access to reference counts or channel state during concurrent cleanup operations, particularly when multiple threads attempt to drop the same channel resources simultaneously without proper synchronization primitives. This is especially critical in Rust's memory-safe language context, where unsafe code blocks are required to implement such low-level concurrency primitives, and improper synchronization can bypass Rust's borrow checker guarantees.
Affected ProductsAI
The crossbeam-channel Rust crate in versions prior to the patched release is affected, with the vulnerability originating in the Drop implementation of the Channel type. The exact affected version range is not specified in the provided data, but organizations using crossbeam-channel should consult the GitHub advisory (GHSA-pg9f-39pc-qf8g) and the upstream pull request (PR #1187 on crossbeam-rs/crossbeam) for precise version information. Any Rust application or library that depends on crossbeam-channel through cargo package management is potentially affected, including indirect dependencies throughout the Rust ecosystem.
RemediationAI
Update crossbeam-channel to the patched version released to address pull request #1187. Users should run 'cargo update crossbeam-channel' to pull the latest secure version, or explicitly update their Cargo.toml to the corrected version once released by the maintainers. Verify the patch by reviewing the upstream pull request at https://github.com/crossbeam-rs/crossbeam/pull/1187 for specific fixed version numbers. For organizations unable to immediately upgrade, implement additional runtime thread-safety auditing and avoid patterns that trigger rapid concurrent channel drops, though no complete workaround exists for the underlying race condition. Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-4574 and GitHub Advisory GHSA-pg9f-39pc-qf8g for distribution-specific patch availability.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today