5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-35904

GHSA ID

GHSA-m8h8-v6jh-c762

EPSS Score

0.17681%

CWE

CWE-131

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-35904

CVE-2020-35904:
Incorrect buffer size in crossbeam-channel

The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-35904

GHSA ID

GHSA-m8h8-v6jh-c762

EPSS Score

0.17681%

CWE

CWE-131

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
crossbeam-channel	rust	>= 0.4.3, < 0.4.4	0.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) The destructor (drop implementation) assumes Vec capacity equals element count when reconstructing from raw pointers, but Vec::from_iter doesn't guarantee this. 2) The channel initialization uses Vec::from_iter which may overallocate. The combination leads to incorrect capacity calculation during deallocation. The GitHub PR #533 specifically replaced Vec with Box<[T]> in these locations to fix the issue, confirming these functions' involvement.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *****t** v*rsion o* t*is *r*t*'s t** *oun*** ***nn*l in*orr**tly *ssum*s t**t V**::*rom_it*r **s *llo**t** **p**ity t**t s*m* *s t** num**r o* it*r*tor *l*m*nts. V**::*rom_it*r *o*s not **tu*lly *u*r*nt** t**t *n* m*y *llo**t* *xtr* m*mory. T** *

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) T** **stru*tor (*rop impl*m*nt*tion) *ssum*s V** **p**ity *qu*ls *l*m*nt *ount w**n r**onstru*tin* *rom r*w point*rs, *ut V**::*rom_it*r *o*sn't *u*r*nt** t*is. *) T** ***nn*l initi*liz*tion us*s V**

5.5

Basic Information

Concerned about an active attack path?

CVE-2020-35904: Incorrect buffer size in crossbeam-channel

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-35904:
Incorrect buffer size in crossbeam-channel

Vulnerability Intelligence
Miggo AI