CVE-2021-32810
9.8 CRITICAL
📋 TL;DR
A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in worker queues to be popped twice while other tasks are forgotten. This can cause double-free memory corruption if tasks are heap-allocated, leading to crashes or memory leaks. Any Rust application using crossbeam-deque's Stealer methods for task scheduling is affected.
💻 Affected Systems
Products:
- crossbeam-deque Rust library
Versions: Versions <0.7.4 and 0.8.x <0.8.1
Operating Systems: All operating systems running Rust applications
Default Config Vulnerable:
⚠️ Yes
Notes: Only affects Rust applications using crossbeam-deque's Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop methods.
📦 What is this software?
Crossbeam by Crossbeam Project
Crossbeam by Crossbeam Project
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Double-free memory corruption leading to arbitrary code execution, denial of service, or data corruption in affected Rust applications.
Likely Case
Application crashes, memory leaks, or logical bugs causing incorrect task execution in multi-threaded Rust programs.
If Mitigated
Minor performance impact or task scheduling anomalies if proper memory safety practices are followed.
🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions in affected Rust services, but impact could be severe.
🏢 Internal Only: MEDIUM - Same technical risk as internet-facing, but reduced attack surface from external actors.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
✅ No
Complexity:
HIGH - Requires race condition triggering in multi-threaded context
Exploitation depends on specific application usage patterns and timing conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.4 or 0.8.1
Vendor Advisory: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
Restart Required: Yes
Instructions:
1. Update Cargo.toml to require crossbeam-deque >=0.7.4 or >=0.8.1. 2. Run 'cargo update crossbeam-deque'. 3. Rebuild and redeploy affected Rust applications.
🔧 Temporary Workarounds
Avoid affected Stealer methods
allTemporarily modify code to avoid using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop methods
🧯 If You Can't Patch
- Isolate affected applications in restricted environments with minimal privileges
- Implement additional monitoring for memory corruption or application crashes
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or run 'cargo tree | grep crossbeam-deque' to see installed versionCheck Version:
grep crossbeam-deque Cargo.lockVerify Fix Applied:
Verify crossbeam-deque version is >=0.7.4 or >=0.8.1 in Cargo.lock after update📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory corruption errors
- Unexpected double-free warnings in Rust panic messages
Network Indicators:
- Service disruptions or unexpected restarts of affected applications
SIEM Query:
Application logs containing 'double free', 'memory corruption', or crossbeam-deque related panic messages🔗 References
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE/
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE/
