CVE-2021-32810

NameCVE-2021-32810
Descriptioncrossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs993146

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid93.0-1fixed
firefox-esr (PTS)stretch68.10.0esr-1~deb9u1fixed
stretch (security)78.15.0esr-1~deb9u1fixed
buster78.14.0esr-1~deb10u1fixed
buster (security)78.15.0esr-1~deb10u1fixed
bullseye78.14.0esr-1~deb11u1fixed
bullseye (security)78.15.0esr-1~deb11u1fixed
bookworm78.14.0esr-1fixed
sid91.2.0esr-1fixed
rust-crossbeam-deque (PTS)buster0.6.3-1vulnerable
bullseye0.7.3-1vulnerable
bookworm, sid0.7.4-2fixed
thunderbird (PTS)stretch1:68.10.0-1~deb9u1fixed
stretch (security)1:78.14.0-1~deb9u1fixed
buster, buster (security)1:78.14.0-1~deb10u1fixed
bullseye (security), bullseye1:78.14.0-1~deb11u1fixed
bookworm1:78.14.0-1fixed
sid1:91.2.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)93.0-1
firefox-esrsource(unstable)(not affected)
rust-crossbeam-dequesource(unstable)0.7.4-1993146
thunderbirdsource(unstable)(not affected)

Notes

- firefox-esr <not-affected> (Only affect Firefox 91 not in any supported suite in vulnerable version)
- thunderbird <not-affected> (Only affects Thunderbird 91 not in any supported suite in vulnerable version)
[bullseye] - rust-crossbeam-deque <no-dsa> (Minor issue)
[buster] - rust-crossbeam-deque <no-dsa> (Minor issue)
https://rustsec.org/advisories/RUSTSEC-2021-0093.html
https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/#CVE-2021-32810
https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-32810
https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-32810

Search for package or bug name: Reporting problems