8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15254

GHSA ID

GHSA-v5m7-53cv-f3hx

EPSS Score

0.65412%

CWE

CWE-119

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15254

CVE-2020-15254: crossbeam-channel Undefined Behavior before v0.4.4

Impact

The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.

Patches

This has been fixed in crossbeam-channel 0.4.4.

We recommend users to upgrade to 0.4.4.

References

See https://github.com/crossbeam-rs/crossbeam/pull/533, https://github.com/crossbeam-rs/crossbeam/issues/539, and https://github.com/RustSec/advisory-db/pull/425 for more details.

License

This advisory is in the public domain.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15254

GHSA ID

GHSA-v5m7-53cv-f3hx

EPSS Score

0.65412%

CWE

CWE-119

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
crossbeam-channel	rust	= 0.4.3	0.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the destructor of the bounded channel (array::Channel) incorrectly reconstructing a Vec using the element count as capacity. The implementation assumed Vec::from_iter's capacity matches element count, but this isn't guaranteed. When dropping, it used from_raw_parts with length==capacity, leading to incorrect deallocation. The fix in 0.4.4 replaced Vec with Box<[T]> which guarantees exact allocation size, confirming the vulnerable code was in Channel's destructor handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *****t** v*rsion o* t*is *r*t*'s t** `*oun***` ***nn*l in*orr**tly *ssum*s t**t `V**::*rom_it*r` **s *llo**t** **p**ity t**t s*m* *s t** num**r o* it*r*tor *l*m*nts. `V**::*rom_it*r` *o*s not **tu*lly *u*r*nt** t**t *n* m*y *llo**t* *

Reasoning

T** vuln*r**ility st*ms *rom t** **stru*tor o* t** *oun*** ***nn*l (*rr*y::***nn*l) in*orr**tly r**onstru*tin* * V** usin* t** *l*m*nt *ount *s **p**ity. T** impl*m*nt*tion *ssum** V**::*rom_it*r's **p**ity m*t***s *l*m*nt *ount, *ut t*is isn't *u*r*

8.1

Basic Information

Concerned about an active attack path?

CVE-2020-15254: crossbeam-channel Undefined Behavior before v0.4.4

Impact

Patches

References

License

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI