CVE-2021-32810

Published: 2 August 2021

crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.

Priority

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	bionic	Released (93.0+build1-0ubuntu0.18.04.1)
	focal	Released (93.0+build1-0ubuntu0.20.04.1)
	hirsute	Released (93.0+build1-0ubuntu0.21.04.1)
	impish	Released (93.0+build1-0ubuntu2)
	jammy	Released (93.0+build1-0ubuntu2)
	kinetic	Released (93.0+build1-0ubuntu2)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
rust-crossbeam-deque Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Needs triage
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	trusty	Does not exist
	upstream	Released (0.7.4-1)
	xenial	Ignored (out of standard support)

Severity score breakdown

Parameter	Value
Base score	9.8
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993146

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›