CVE-2020-15254
published 2020-10-16CVE-2020-15254: Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that…
PriorityP347critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.74%
84.3th percentile
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crossbeam-rs | crossbeam | < 0.4.4 | 0.4.4 |
| crossbeam_project | crossbeam | < 0.4.4 | 0.4.4 |
| debian | firefox | < firefox 82.0-1 (sid) | firefox 82.0-1 (sid) |
| debian | rust-crossbeam-channel | < firefox 82.0-1 (sid) | firefox 82.0-1 (sid) |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.16.04.5 | 82.0+build2-0ubuntu0.16.04.5 |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.18.04.1 | 82.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.20.04.1 | 82.0+build2-0ubuntu0.20.04.1 |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-10-26
CVE-2020-15680 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
USN-4599-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Ubuntu 16.04 LTS.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the prompt
for opening an external application, obtain sensitive information, or execute
arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-10-23
CVE-2020-15680 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the prompt
for opening an external application, obtain sensitive information, or execute
arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Mozilla: Undefined behavior in bounded channel of crossbeam rust crate
vendor_redhat·2020-10-20·CVSS 8.1
CVE-2020-15254 [HIGH] CWE-119 Mozilla: Undefined behavior in bounded channel of crossbeam rust crate
Mozilla: Undefined behavior in bounded channel of crossbeam rust crate
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: firefox (R
Microsoft
Undefined Behavior in bounded Crossbeam channel
vendor_msrc·2020-10-13·CVSS 8.1
CVE-2020-15254 [HIGH] CWE-119 Undefined Behavior in bounded Crossbeam channel
Undefined Behavior in bounded Crossbeam channel
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2020-15254: firefox - Crossbeam is a set of tools for concurrent programming. In crossbeam-channel bef...
vendor_debian·2020·CVSS 8.1
CVE-2020-15254 [HIGH] CVE-2020-15254: firefox - Crossbeam is a set of tools for concurrent programming. In crossbeam-channel bef...
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.
Scope: local
sid: resolved (fixed in 82.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-45: CVE-2020-15254
vendor_mozilla·CVSS 8.1
CVE-2020-15254 [HIGH] Mozilla Foundation Security Advisory 2020-45: CVE-2020-15254
Mozilla Foundation Security Advisory 2020-45
CVE: CVE-2020-15254
Product: Firefox
Impact: high
Fixed in: Firefox 82
OSV
crossbeam-channel Undefined Behavior before v0.4.4
osv·2021-08-25
CVE-2020-15254 [HIGH] crossbeam-channel Undefined Behavior before v0.4.4
crossbeam-channel Undefined Behavior before v0.4.4
### Impact
The affected version of this crate's the `bounded` channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements.
### Patches
This has been fixed in crossbeam-channel 0.4.4.
We recommend users to upgrade to 0.4.4.
### References
See https://github.com/crossbeam-rs/crossbeam/pull/533, https://github.com/cro
GHSA
crossbeam-channel Undefined Behavior before v0.4.4
ghsa·2021-08-25
CVE-2020-15254 [HIGH] CWE-119 crossbeam-channel Undefined Behavior before v0.4.4
crossbeam-channel Undefined Behavior before v0.4.4
### Impact
The affected version of this crate's the `bounded` channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements.
### Patches
This has been fixed in crossbeam-channel 0.4.4.
We recommend users to upgrade to 0.4.4.
### References
See https://github.com/crossbeam-rs/crossbeam/pull/533, https://github.com/cro
OSV
Incorrect buffer size in crossbeam-channel
osv·2021-08-25
CVE-2020-15254 [MEDIUM] Incorrect buffer size in crossbeam-channel
Incorrect buffer size in crossbeam-channel
The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.
OSV
CVE-2020-15254: Crossbeam is a set of tools for concurrent programming
osv·2020-10-22·CVSS 9.8
CVE-2020-15254 [CRITICAL] CVE-2020-15254: Crossbeam is a set of tools for concurrent programming
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.
OSV
Undefined Behavior in bounded channel
osv·2020-06-26
CVE-2020-15254 Undefined Behavior in bounded channel
Undefined Behavior in bounded channel
The affected version of this crate's the `bounded` channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/RustSec/advisory-db/pull/425https://github.com/crossbeam-rs/crossbeam/issues/539https://github.com/crossbeam-rs/crossbeam/pull/533https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hxhttps://github.com/RustSec/advisory-db/pull/425https://github.com/crossbeam-rs/crossbeam/issues/539https://github.com/crossbeam-rs/crossbeam/pull/533https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx
2020-10-16
Published