#VU55598 Race condition in crossbeam-deque - CVE-2021-32810


| Updated: 2021-10-05

Vulnerability identifier: #VU55598

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-32810

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
crossbeam-deque
Universal components / Libraries / Programming Languages & Components

Vendor: Crossbeam

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a race condition in the "Stealer::steal", "Stealer::steal_batch" and "Stealer::steal_batch_and_pop" functions. A remote attacker can exploit the race and gain unauthorized access to sensitive information and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

crossbeam-deque: 0.7.0 - 0.8.0

External links
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for firefox
Anolis OS update for thunderbird (Anolis OS 8.5)
SUSE update for MozillaThunderbird
CentOS 7 update for firefox
CentOS 7 update for thunderbird
Ubuntu update for thunderbird
Red Hat Enterprise Linux 7 update for thunderbird
SUSE update for MozillaFirefox, rust-cbindgen
SUSE update for MozillaFirefox
SUSE update for MozillaFirefox