cvelistv5 - CVE-2025-4574

CVE-2025-4574 (GCVE-0-2025-4574)

Vulnerability from cvelistv5 – Published: 2025-05-13 21:47 – Updated: 2025-11-20 20:49

Summary

In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-415 - Double Free

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/security/cve/CVE-2025-4574	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2358890	issue-trackingx_refsource_REDHAT
	https://github.com/crossbeam-rs/crossbeam/pull/1187

Impacted products

Vendor

Product

Version

Affected: 0.5.12 , < 0.5.15 (semver)

Red Hat	Red Hat Directory Server 11	cpe:/a:redhat:directory_server:11
Red Hat	Red Hat Directory Server 12	cpe:/a:redhat:directory_server:12
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat Satellite 6	cpe:/a:redhat:satellite:6
Red Hat	Red Hat Satellite 6	cpe:/a:redhat:satellite:6
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Profile Analyzer	cpe:/a:redhat:trusted_profile_analyzer:2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4574",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T13:30:44.836115Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T13:30:57.226Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/crossbeam-rs/crossbeam",
          "defaultStatus": "unaffected",
          "packageName": "crossbeam-channel",
          "versions": [
            {
              "lessThan": "0.5.15",
              "status": "affected",
              "version": "0.5.12",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:directory_server:11"
          ],
          "defaultStatus": "unaffected",
          "packageName": "redhat-ds:11/389-ds-base",
          "product": "Red Hat Directory Server 11",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:directory_server:12"
          ],
          "defaultStatus": "unaffected",
          "packageName": "redhat-ds:12/389-ds-base",
          "product": "Red Hat Directory Server 12",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "389-ds-base",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "gjs",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "rust",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "rust-afterburn",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "trustee-guest-components",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "389-ds:1.4/389-ds-base",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "389-ds-base",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rpm-ostree",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rust-toolset:rhel8/rust",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "389-ds-base",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "librsvg2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rpm-ostree",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "rust",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "rust-afterburn",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "rust-coreos-installer",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "trustee-guest-components",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-feast-operator-rhel8",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-feature-server-rhel8",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "conmon-rs",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "coreos-installer",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "kata-containers",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rpm-ostree",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rust-afterburn",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "python3.12-maturin",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "python-maturin",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/tuffer-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/tuftool-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_profile_analyzer:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhtpa/rhtpa-trustification-service-rhel9",
          "product": "Red Hat Trusted Profile Analyzer",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-04-10T14:30:39.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-415",
              "description": "Double Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T20:49:08.419Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-4574"
        },
        {
          "name": "RHBZ#2358890",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
        },
        {
          "url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-10T16:01:59.821678+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-04-10T14:30:39+00:00",
          "value": "Made public."
        }
      ],
      "title": "Crossbeam-channel: crossbeam-channel vulnerable to double free on drop",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-415: Double Free"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-4574",
    "datePublished": "2025-05-13T21:47:24.951Z",
    "dateReserved": "2025-05-12T12:06:47.274Z",
    "dateUpdated": "2025-11-20T20:49:08.419Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-4574\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-05-13T22:15:25.143\",\"lastModified\":\"2025-05-16T14:43:56.797\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.\"},{\"lang\":\"es\",\"value\":\"En la caja de \u00f3xido de canal transversal, el m\u00e9todo `Drop` del tipo `Channel` interno tiene una condici\u00f3n de ejecuci\u00f3n que podr\u00eda, en algunas circunstancias, generar una doble liberaci\u00f3n que podr\u00eda provocar una corrupci\u00f3n de memoria.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-4574\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2358890\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/crossbeam-rs/crossbeam/pull/1187\",\"source\":\"secalert@redhat.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4574\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-14T13:30:44.836115Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-14T13:30:50.043Z\"}}], \"cna\": {\"title\": \"Crossbeam-channel: crossbeam-channel vulnerable to double free on drop\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0.5.12\", \"lessThan\": \"0.5.15\", \"versionType\": \"semver\"}], \"packageName\": \"crossbeam-channel\", \"collectionURL\": \"https://github.com/crossbeam-rs/crossbeam\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:directory_server:11\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Directory Server 11\", \"packageName\": \"redhat-ds:11/389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:directory_server:12\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Directory Server 12\", \"packageName\": \"redhat-ds:12/389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"firefox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"gjs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"rust\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"rust-afterburn\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"thunderbird\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"trustee-guest-components\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7\", \"packageName\": \"firefox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7\", \"packageName\": \"thunderbird\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"389-ds:1.4/389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"firefox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"rpm-ostree\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"rust-toolset:rhel8/rust\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"thunderbird\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"389-ds-base\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"firefox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"librsvg2\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"rpm-ostree\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"rust\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"rust-afterburn\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"rust-coreos-installer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"thunderbird\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"trustee-guest-components\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-feast-operator-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-feature-server-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"conmon-rs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"coreos-installer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"kata-containers\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"rpm-ostree\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"rust-afterburn\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"python3.12-maturin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"python-maturin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:trusted_artifact_signer:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Trusted Artifact Signer\", \"packageName\": \"rhtas/tuffer-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:trusted_artifact_signer:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Trusted Artifact Signer\", \"packageName\": \"rhtas/tuftool-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:trusted_profile_analyzer:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Trusted Profile Analyzer\", \"packageName\": \"rhtpa/rhtpa-trustification-service-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-04-10T16:01:59.821678+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-04-10T14:30:39+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-04-10T14:30:39.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-4574\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2358890\", \"name\": \"RHBZ#2358890\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/crossbeam-rs/crossbeam/pull/1187\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-415\", \"description\": \"Double Free\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-20T20:49:08.419Z\"}, \"x_redhatCweChain\": \"CWE-415: Double Free\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-4574\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T20:49:08.419Z\", \"dateReserved\": \"2025-05-12T12:06:47.274Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-05-13T21:47:24.951Z\", \"assignerShortName\": \"redhat\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2025:15551-1

Vulnerability from csaf_opensuse - Published: 2025-09-14 00:00 - Updated: 2025-09-14 00:00

Summary

cargo-c-0.10.3~git0.ee7d7ef-4.1 on GA media

Notes

Title of the patch

cargo-c-0.10.3~git0.ee7d7ef-4.1 on GA media

Description of the patch

These are all security issues fixed in the cargo-c-0.10.3~git0.ee7d7ef-4.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15551

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cargo-c-0.10.3~git0.ee7d7ef-4.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cargo-c-0.10.3~git0.ee7d7ef-4.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15551",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15551-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-12224 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-12224/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-4574 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-4574/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58160 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58160/"
      }
    ],
    "title": "cargo-c-0.10.3~git0.ee7d7ef-4.1 on GA media",
    "tracking": {
      "current_release_date": "2025-09-14T00:00:00Z",
      "generator": {
        "date": "2025-09-14T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15551-1",
      "initial_release_date": "2025-09-14T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-09-14T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
                "product": {
                  "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
                  "product_id": "cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
                "product": {
                  "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
                  "product_id": "cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
                "product": {
                  "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
                  "product_id": "cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64",
                "product": {
                  "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64",
                  "product_id": "cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64"
        },
        "product_reference": "cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le"
        },
        "product_reference": "cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x"
        },
        "product_reference": "cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
        },
        "product_reference": "cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12224",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-12224"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-12224",
          "url": "https://www.suse.com/security/cve/CVE-2024-12224"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243848 for CVE-2024-12224",
          "url": "https://bugzilla.suse.com/1243848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-12224"
    },
    {
      "cve": "CVE-2025-4574",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-4574"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-4574",
          "url": "https://www.suse.com/security/cve/CVE-2025-4574"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243169 for CVE-2025-4574",
          "url": "https://bugzilla.suse.com/1243169"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-4574"
    },
    {
      "cve": "CVE-2025-58160",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58160"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
          "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58160",
          "url": "https://www.suse.com/security/cve/CVE-2025-58160"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1249007 for CVE-2025-58160",
          "url": "https://bugzilla.suse.com/1249007"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.aarch64",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.ppc64le",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.s390x",
            "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-4.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-58160"
    }
  ]
}

OPENSUSE-SU-2025:15550-1

Vulnerability from csaf_opensuse - Published: 2025-09-14 00:00 - Updated: 2025-09-14 00:00

Summary

cargo-audit-0.21.2~git0.18e58c2-2.1 on GA media

Notes

Title of the patch

cargo-audit-0.21.2~git0.18e58c2-2.1 on GA media

Description of the patch

These are all security issues fixed in the cargo-audit-0.21.2~git0.18e58c2-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15550

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cargo-audit-0.21.2~git0.18e58c2-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cargo-audit-0.21.2~git0.18e58c2-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15550",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15550-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-12224 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-12224/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-4574 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-4574/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58160 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58160/"
      }
    ],
    "title": "cargo-audit-0.21.2~git0.18e58c2-2.1 on GA media",
    "tracking": {
      "current_release_date": "2025-09-14T00:00:00Z",
      "generator": {
        "date": "2025-09-14T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15550-1",
      "initial_release_date": "2025-09-14T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-09-14T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
                "product": {
                  "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
                  "product_id": "cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
                "product": {
                  "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
                  "product_id": "cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
                "product": {
                  "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
                  "product_id": "cargo-audit-0.21.2~git0.18e58c2-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64",
                "product": {
                  "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64",
                  "product_id": "cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64"
        },
        "product_reference": "cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le"
        },
        "product_reference": "cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x"
        },
        "product_reference": "cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
        },
        "product_reference": "cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12224",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-12224"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-12224",
          "url": "https://www.suse.com/security/cve/CVE-2024-12224"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243848 for CVE-2024-12224",
          "url": "https://bugzilla.suse.com/1243848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-12224"
    },
    {
      "cve": "CVE-2025-4574",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-4574"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-4574",
          "url": "https://www.suse.com/security/cve/CVE-2025-4574"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243169 for CVE-2025-4574",
          "url": "https://bugzilla.suse.com/1243169"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-4574"
    },
    {
      "cve": "CVE-2025-58160",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58160"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58160",
          "url": "https://www.suse.com/security/cve/CVE-2025-58160"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1249007 for CVE-2025-58160",
          "url": "https://bugzilla.suse.com/1249007"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-0.21.2~git0.18e58c2-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-09-14T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-58160"
    }
  ]
}

GHSA-W443-5H3J-JQCP

Vulnerability from github – Published: 2025-05-14 00:32 – Updated: 2025-05-15 18:26

Summary

Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references.

Original Description

In crossbeam-channel rust crate, the internal Channel type's Drop method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "crossbeam-channel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.11"
            },
            {
              "fixed": "0.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T18:26:22Z",
    "nvd_published_at": "2025-05-13T22:15:25Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references.\n\n### Original Description\nIn crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.",
  "id": "GHSA-w443-5h3j-jqcp",
  "modified": "2025-05-15T18:26:22Z",
  "published": "2025-05-14T00:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop",
  "withdrawn": "2025-05-15T18:26:22Z"
}

GHSA-PG9F-39PC-QF8G

Vulnerability from github – Published: 2025-04-10 14:30 – Updated: 2025-09-25 21:13

Summary

crossbeam-channel Vulnerable to Double Free on Drop

Details

The internal Channel type's Drop method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption.

Quoting from the upstream description in merge request #1187:

The problem lies in the fact that dicard_all_messages contained two paths that could lead to head.block being read but only one of them would swap the value. This meant that dicard_all_messages could end up observing a non-null block pointer (and therefore attempting to free it) without setting head.block to null. This would then lead to Channel::drop making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.

The fix is in upstream MR #1187 and has been published in 0.5.15

Severity ?

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "crossbeam-channel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.12"
            },
            {
              "fixed": "0.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T14:30:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The internal `Channel` type\u0027s `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15",
  "id": "GHSA-pg9f-39pc-qf8g",
  "modified": "2025-09-25T21:13:01Z",
  "published": "2025-04-10T14:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/crossbeam-rs/crossbeam"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "crossbeam-channel Vulnerable to Double Free on Drop"
}

MSRC_CVE-2025-4574

Vulnerability from csaf_microsoft - Published: 2025-05-02 00:00 - Updated: 2025-08-06 00:00

Summary

Crossbeam-channel: crossbeam-channel vulnerable to double free on drop

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-4574 Crossbeam-channel: crossbeam-channel vulnerable to double free on drop - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-4574.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Crossbeam-channel: crossbeam-channel vulnerable to double free on drop",
    "tracking": {
      "current_release_date": "2025-08-06T00:00:00.000Z",
      "generator": {
        "date": "2025-10-20T03:18:58.601Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-4574",
      "initial_release_date": "2025-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-07-10T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2025-08-06T00:00:00.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Added kata-containers to Azure Linux 3.0\nAdded rust to Azure Linux 3.0\nAdded azl-compliance to CBL-Mariner 2.0"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 rust 1.75.0-16",
                "product": {
                  "name": "\u003cazl3 rust 1.75.0-16",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 rust 1.75.0-16",
                "product": {
                  "name": "azl3 rust 1.75.0-16",
                  "product_id": "19603"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 rust 1.86.0-3",
                "product": {
                  "name": "\u003cazl3 rust 1.86.0-3",
                  "product_id": "4"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 rust 1.86.0-3",
                "product": {
                  "name": "azl3 rust 1.86.0-3",
                  "product_id": "20257"
                }
              }
            ],
            "category": "product_name",
            "name": "rust"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 kata-containers-cc 3.15.0.aks0-4",
                "product": {
                  "name": "azl3 kata-containers-cc 3.15.0.aks0-4",
                  "product_id": "5"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 kata-containers-cc 3.15.0.aks0-5",
                "product": {
                  "name": "azl3 kata-containers-cc 3.15.0.aks0-5",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "kata-containers-cc"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 azl-compliance 1.0.2-2",
                "product": {
                  "name": "\u003ccbl2 azl-compliance 1.0.2-2",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 azl-compliance 1.0.2-2",
                "product": {
                  "name": "cbl2 azl-compliance 1.0.2-2",
                  "product_id": "20258"
                }
              }
            ],
            "category": "product_name",
            "name": "azl-compliance"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 kata-containers 3.15.0.aks0-2",
                "product": {
                  "name": "\u003cazl3 kata-containers 3.15.0.aks0-2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 kata-containers 3.15.0.aks0-2",
                "product": {
                  "name": "azl3 kata-containers 3.15.0.aks0-2",
                  "product_id": "20259"
                }
              }
            ],
            "category": "product_name",
            "name": "kata-containers"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 rust 1.75.0-16 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 1.75.0-16 as a component of Azure Linux 3.0",
          "product_id": "19603-17084"
        },
        "product_reference": "19603",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kata-containers-cc 3.15.0.aks0-4 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kata-containers-cc 3.15.0.aks0-5 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 rust 1.86.0-3 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 1.86.0-3 as a component of Azure Linux 3.0",
          "product_id": "20257-17084"
        },
        "product_reference": "20257",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 azl-compliance 1.0.2-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 azl-compliance 1.0.2-2 as a component of CBL Mariner 2.0",
          "product_id": "20258-17086"
        },
        "product_reference": "20258",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 kata-containers 3.15.0.aks0-2 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kata-containers 3.15.0.aks0-2 as a component of Azure Linux 3.0",
          "product_id": "20259-17084"
        },
        "product_reference": "20259",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-4574",
      "cwe": {
        "id": "CWE-415",
        "name": "Double Free"
      },
      "notes": [
        {
          "category": "general",
          "text": "redhat",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "19603-17084",
          "20257-17084",
          "20258-17086",
          "20259-17084"
        ],
        "known_affected": [
          "17084-6",
          "17084-5",
          "17084-1",
          "17084-4",
          "17086-3",
          "17084-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4574 Crossbeam-channel: crossbeam-channel vulnerable to double free on drop - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-4574.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-10T00:00:00.000Z",
          "details": "1.75.0-16:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-6"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-07-10T00:00:00.000Z",
          "details": "1.86.0-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-4"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-07-10T00:00:00.000Z",
          "details": "1.0.2-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-07-10T00:00:00.000Z",
          "details": "3.18.0.kata0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "17084-6",
            "17084-5",
            "17084-1",
            "17084-4",
            "17086-3",
            "17084-2"
          ]
        }
      ],
      "title": "Crossbeam-channel: crossbeam-channel vulnerable to double free on drop"
    }
  ]
}

SUSE-SU-2025:01591-1

Vulnerability from csaf_suse - Published: 2025-05-19 21:24 - Updated: 2025-05-19 21:24

Summary

Security update for python-maturin

Notes

Title of the patch

Security update for python-maturin

Description of the patch

This update for python-maturin fixes the following issues: - CVE-2025-3416: openssl: use-after-free in `Md::fetch` and `Cipher::fetch` when `Some(...)` value passed as `properties` argument to either function (bsc#1242631). - CVE-2025-4574: crossbeam-channel: double-free leading to possible memory corruption in `Channel::drop` when dropping a channel (bsc#1243177).

Patchnames

SUSE-2025-1591,openSUSE-SLE-15.6-2025-1591

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-maturin",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-maturin fixes the following issues:\n\n- CVE-2025-3416: openssl: use-after-free in `Md::fetch` and `Cipher::fetch` when `Some(...)` value passed as\n  `properties` argument to either function (bsc#1242631).\n- CVE-2025-4574: crossbeam-channel: double-free leading to possible memory corruption in `Channel::drop` when dropping\n  a channel (bsc#1243177).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-1591,openSUSE-SLE-15.6-2025-1591",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_01591-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:01591-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202501591-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:01591-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-May/039256.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1242631",
        "url": "https://bugzilla.suse.com/1242631"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1243177",
        "url": "https://bugzilla.suse.com/1243177"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-3416 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-3416/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-4574 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-4574/"
      }
    ],
    "title": "Security update for python-maturin",
    "tracking": {
      "current_release_date": "2025-05-19T21:24:46Z",
      "generator": {
        "date": "2025-05-19T21:24:46Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:01591-1",
      "initial_release_date": "2025-05-19T21:24:46Z",
      "revision_history": [
        {
          "date": "2025-05-19T21:24:46Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-maturin-1.4.0-150600.3.6.1.aarch64",
                "product": {
                  "name": "python311-maturin-1.4.0-150600.3.6.1.aarch64",
                  "product_id": "python311-maturin-1.4.0-150600.3.6.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-maturin-1.4.0-150600.3.6.1.i586",
                "product": {
                  "name": "python311-maturin-1.4.0-150600.3.6.1.i586",
                  "product_id": "python311-maturin-1.4.0-150600.3.6.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-maturin-1.4.0-150600.3.6.1.ppc64le",
                "product": {
                  "name": "python311-maturin-1.4.0-150600.3.6.1.ppc64le",
                  "product_id": "python311-maturin-1.4.0-150600.3.6.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-maturin-1.4.0-150600.3.6.1.s390x",
                "product": {
                  "name": "python311-maturin-1.4.0-150600.3.6.1.s390x",
                  "product_id": "python311-maturin-1.4.0-150600.3.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-maturin-1.4.0-150600.3.6.1.x86_64",
                "product": {
                  "name": "python311-maturin-1.4.0-150600.3.6.1.x86_64",
                  "product_id": "python311-maturin-1.4.0-150600.3.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-maturin-1.4.0-150600.3.6.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64"
        },
        "product_reference": "python311-maturin-1.4.0-150600.3.6.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-maturin-1.4.0-150600.3.6.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le"
        },
        "product_reference": "python311-maturin-1.4.0-150600.3.6.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-maturin-1.4.0-150600.3.6.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x"
        },
        "product_reference": "python311-maturin-1.4.0-150600.3.6.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-maturin-1.4.0-150600.3.6.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
        },
        "product_reference": "python311-maturin-1.4.0-150600.3.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-3416",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-3416"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in OpenSSL\u0027s handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-3416",
          "url": "https://www.suse.com/security/cve/CVE-2025-3416"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1242599 for CVE-2025-3416",
          "url": "https://bugzilla.suse.com/1242599"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-19T21:24:46Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-3416"
    },
    {
      "cve": "CVE-2025-4574",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-4574"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
          "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-4574",
          "url": "https://www.suse.com/security/cve/CVE-2025-4574"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243169 for CVE-2025-4574",
          "url": "https://bugzilla.suse.com/1243169"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.aarch64",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.ppc64le",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.s390x",
            "openSUSE Leap 15.6:python311-maturin-1.4.0-150600.3.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-19T21:24:46Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-4574"
    }
  ]
}

FKIE_CVE-2025-4574

Vulnerability from fkie_nvd - Published: 2025-05-13 22:15 - Updated: 2025-05-16 14:43

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Summary

In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

References

	URL	Tags
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2025-4574
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2358890
	secalert@redhat.com	https://github.com/crossbeam-rs/crossbeam/pull/1187

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In crossbeam-channel rust crate, the internal `Channel` type\u0027s `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption."
    },
    {
      "lang": "es",
      "value": "En la caja de \u00f3xido de canal transversal, el m\u00e9todo `Drop` del tipo `Channel` interno tiene una condici\u00f3n de ejecuci\u00f3n que podr\u00eda, en algunas circunstancias, generar una doble liberaci\u00f3n que podr\u00eda provocar una corrupci\u00f3n de memoria."
    }
  ],
  "id": "CVE-2025-4574",
  "lastModified": "2025-05-16T14:43:56.797",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-13T22:15:25.143",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4574"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-415"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-4574 (GCVE-0-2025-4574)

OPENSUSE-SU-2025:15551-1

OPENSUSE-SU-2025:15550-1

GHSA-W443-5H3J-JQCP

Duplicate Advisory

Original Description

GHSA-PG9F-39PC-QF8G

MSRC_CVE-2025-4574

SUSE-SU-2025:01591-1

FKIE_CVE-2025-4574

Tags

Sightings

Nomenclature