CVE-2021-32810
published 2021-08-02CVE-2021-32810: crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of…
PriorityP350critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.92%
77.4th percentile
crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crossbeam-rs | crossbeam | < 0.7.4 | 0.7.4 |
| crossbeam-rs | crossbeam | — | — |
| crossbeam_project | crossbeam | < 0.7.4 | 0.7.4 |
| crossbeam_project | crossbeam | >= 0.8.0 < 0.8.1 | 0.8.1 |
| debian | firefox | < firefox 93.0-1 (sid) | firefox 93.0-1 (sid) |
| debian | firefox-esr | < firefox 93.0-1 (sid) | firefox 93.0-1 (sid) |
| debian | rust-crossbeam-deque | < firefox 93.0-1 (sid) | firefox 93.0-1 (sid) |
| debian | thunderbird | < firefox 93.0-1 (sid) | firefox 93.0-1 (sid) |
| fedoraproject | fedora | — | — |
| mozilla | firefox | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2021-11-03
CVE-2021-38500 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
spoof another origin, or execute arbitrary code.
Instructions: After a standard system update you need to restart Thunderbird to make
all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2021-10-07
CVE-2021-38497 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof another
origin, or execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
rust-crossbeam-deque: race condition may lead to double free
vendor_redhat·2021-08-02·CVSS 9.8
CVE-2021-32810 [CRITICAL] CWE-119 rust-crossbeam-deque: race condition may lead to double free
rust-crossbeam-deque: race condition may lead to double free
crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 6) - Out of supp
Debian
CVE-2021-32810: firefox - crossbeam-deque is a package of work-stealing deques for building task scheduler...
vendor_debian·2021·CVSS 9.8
CVE-2021-32810 [CRITICAL] CVE-2021-32810: firefox - crossbeam-deque is a package of work-stealing deques for building task scheduler...
crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
Scope: local
sid: resolved (fixed in 93.0-1)
Mozilla
Mozilla Foundation Security Advisory 2021-47: CVE-2021-32810
vendor_mozilla·CVSS 9.8
CVE-2021-32810 [CRITICAL] Mozilla Foundation Security Advisory 2021-47: CVE-2021-32810
Mozilla Foundation Security Advisory 2021-47
CVE: CVE-2021-32810
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 91.2
Mozilla
Mozilla Foundation Security Advisory 2021-43: CVE-2021-32810
vendor_mozilla·CVSS 9.8
CVE-2021-32810 [CRITICAL] Mozilla Foundation Security Advisory 2021-43: CVE-2021-32810
Mozilla Foundation Security Advisory 2021-43
CVE: CVE-2021-32810
Product: Firefox
Impact: high
Fixed in: Firefox 93
Mozilla
Mozilla Foundation Security Advisory 2021-45: CVE-2021-32810
vendor_mozilla·CVSS 9.8
CVE-2021-32810 [CRITICAL] Mozilla Foundation Security Advisory 2021-45: CVE-2021-32810
Mozilla Foundation Security Advisory 2021-45
CVE: CVE-2021-32810
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 91.2
GHSA
crossbeam-deque Data Race before v0.7.4 and v0.8.1
ghsa·2021-08-25
CVE-2021-32810 [CRITICAL] CWE-362 crossbeam-deque Data Race before v0.7.4 and v0.8.1
crossbeam-deque Data Race before v0.7.4 and v0.8.1
### Impact
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.
Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.
### Patches
This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
### Credits
This issue was reported and fixed by Maor Kleinberger.
### License
This advisory is in the public domain.
OSV
crossbeam-deque Data Race before v0.7.4 and v0.8.1
osv·2021-08-25
CVE-2021-32810 [CRITICAL] crossbeam-deque Data Race before v0.7.4 and v0.8.1
crossbeam-deque Data Race before v0.7.4 and v0.8.1
### Impact
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.
Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.
### Patches
This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
### Credits
This issue was reported and fixed by Maor Kleinberger.
### License
This advisory is in the public domain.
OSV
CVE-2021-32810: crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust
osv·2021-08-02·CVSS 9.8
CVE-2021-32810 [CRITICAL] CVE-2021-32810: crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust
crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
OSV
Data race in crossbeam-deque
osv·2021-07-30
CVE-2021-32810 Data race in crossbeam-deque
Data race in crossbeam-deque
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.
Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.
Credits to @kmaork for discovering, reporting and fixing the bug.
No detection rules found.
No public exploits indexed.
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcwhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE/https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcwhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE/
2021-08-02
Published