CVE-2020-35904
Description
An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Undefined behavior in crossbeam-channel before 0.4.4 due to incorrect capacity assumptions in bounded channel memory allocation, risking memory corruption and deadlocks.
Vulnerability
Overview
The crossbeam-channel crate for Rust, versions prior to 0.4.4, contains a vulnerability in its bounded channel implementation. The root cause is an incorrect assumption about the memory allocation behavior of Vec::from_iter. When the bounded channel is constructed, the code incorrectly assumes that the allocated capacity exactly matches the number of elements passed to the iterator. However, Vec::from_iter may allocate extra capacity, leading to a mismatch between the actual allocation size and the size assumed during deallocation [1][4].
Exploitation
Prerequisites
This vulnerability is triggered when a bounded channel is dropped. Any Rust program that uses a bounded channel (created with crossbeam_channel::bounded) and later drops it is susceptible. No special privileges or network access are required; the issue manifests during normal memory cleanup. The bug is specific to the bounded channel variant and does not affect unbounded channels [4].
Impact
When the channel is dropped, the destructor attempts to deallocate the buffer using the incorrect capacity, resulting in undefined behavior. This can cause memory corruption, crashes, or, as evidenced by a referenced commit, deadlocks in memory allocators such as jemalloc [1]. An attacker who can influence the creation and dropping of bounded channels in a targeted process might leverage the UB to trigger a denial of service or, potentially, more severe consequences depending on the allocator and system state.
Mitigation
The vulnerability is fixed in version 0.4.4 of crossbeam-channel. Users should update to this version or later. No workarounds are documented, and the crate maintainers have resolved the issue by using Box<[T]> to guarantee exact allocation capacity [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
crossbeam-channelcrates.io | >= 0.4.3, < 0.4.4 | 0.4.4 |
Affected products
2- Rust/crossbeam-channeldescription
Patches
148b13dc43cf1Bump crossbeam-channel to v0.4.4
2 files changed · +6 −1
crossbeam-channel/Cargo.toml+1 −1 modified@@ -4,7 +4,7 @@ name = "crossbeam-channel" # - Update CHANGELOG.md # - Update README.md # - Create "crossbeam-channel-X.Y.Z" git tag -version = "0.4.3" +version = "0.4.4" authors = ["The Crossbeam Project Developers"] license = "MIT OR Apache-2.0" readme = "README.md"
crossbeam-channel/CHANGELOG.md+5 −0 modified@@ -1,3 +1,8 @@ +# Version 0.4.4 + +- Fix bug in release (yanking 0.4.3) +- Fix UB and breaking change introduced in 0.4.3 + # Version 0.4.3 - Change license to "MIT OR Apache-2.0".
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m8h8-v6jh-c762ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35904ghsaADVISORY
- github.com/crossbeam-rs/crossbeam/pull/533ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0052.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.