CWE-704
Allowed-with-ReviewIncorrect Type Conversion or Cast
Abstraction: Class · Status: Incomplete
The product does not correctly convert an object, resource, or structure from one type to a different type.
334 vulnerabilities reference this CWE, most recent first.
GHSA-678V-754J-47W8
Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44A type confusion issue was discovered in CCN-lite 2, leading to a memory access violation and a failure of the nonce feature (which, for example, helped with loop prevention). ccnl_fwd_handleInterest assumes that the union member s is of type ccnl_pktdetail_ndntlv_s. However, if the type is in fact struct ccnl_pktdetail_ccntlv_s or struct ccnl_pktdetail_iottlv_s, the memory at that point is either uninitialised or points to data that is not a nonce, which renders the code using the local variable nonce pointless. A later nonce check is insufficient.
{
"affected": [],
"aliases": [
"CVE-2018-6480"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-31T20:29:00Z",
"severity": "HIGH"
},
"details": "A type confusion issue was discovered in CCN-lite 2, leading to a memory access violation and a failure of the nonce feature (which, for example, helped with loop prevention). ccnl_fwd_handleInterest assumes that the union member s is of type ccnl_pktdetail_ndntlv_s. However, if the type is in fact struct ccnl_pktdetail_ccntlv_s or struct ccnl_pktdetail_iottlv_s, the memory at that point is either uninitialised or points to data that is not a nonce, which renders the code using the local variable nonce pointless. A later nonce check is insufficient.",
"id": "GHSA-678v-754j-47w8",
"modified": "2022-05-14T03:44:10Z",
"published": "2022-05-14T03:44:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6480"
},
{
"type": "WEB",
"url": "https://github.com/cn-uofbasel/ccn-lite/issues/159"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-67W2-VVM4-FJR9
Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2022-03-29 00:01A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.
{
"affected": [],
"aliases": [
"CVE-2021-28275"
],
"database_specific": {
"cwe_ids": [
"CWE-704",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.",
"id": "GHSA-67w2-vvm4-fjr9",
"modified": "2022-03-29T00:01:19Z",
"published": "2022-03-24T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28275"
},
{
"type": "WEB",
"url": "https://github.com/Matthias-Wandel/jhead/issues/17"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-694G-QCVR-75CX
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05Type Confusion in the implementation of defineGetter in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-6064"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-14T15:29:00Z",
"severity": "HIGH"
},
"details": "Type Confusion in the implementation of __defineGetter__ in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-694g-qcvr-75cx",
"modified": "2022-05-14T01:05:54Z",
"published": "2022-05-14T01:05:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6064"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0484"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/798644"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4182"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44394"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-368"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103297"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6C6C-HP4F-XG67
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-05-24 17:25In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
{
"affected": [],
"aliases": [
"CVE-2020-13293"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.",
"id": "GHSA-6c6c-hp4f-xg67",
"modified": "2022-05-24T17:25:10Z",
"published": "2022-05-24T17:25:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13293"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/790634"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/202690"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6HQX-C46P-38WW
Vulnerability from github – Published: 2022-05-14 01:27 – Updated: 2022-05-14 01:27Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
{
"affected": [],
"aliases": [
"CVE-2018-4945"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T19:29:00Z",
"severity": "HIGH"
},
"details": "Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
"id": "GHSA-6hqx-c46p-38ww",
"modified": "2022-05-14T01:27:45Z",
"published": "2022-05-14T01:27:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4945"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1827"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb18-19.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201806-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104413"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JR7-XR67-MGXW
Vulnerability from github – Published: 2022-09-10 00:00 – Updated: 2025-11-04 00:30A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2020-10735"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-09T14:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.",
"id": "GHSA-6jr7-xr67-mgxw",
"modified": "2025-11-04T00:30:34Z",
"published": "2022-09-10T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/95778"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:6766"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V7ZUJDHK7KNG6SLIFXW7MNZ6O2PUJYK6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEOAJWGGY55QU35UM2OVZATBW5MX2OZD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VCU6EVQDIXNCEDJUCTFIER2WVNNDTYZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32AAQKABEKFCB5DDV5OONRZK6BS23HPW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EWKR2SPX3JORLWCXFY3KN2U5B5CIUQQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XL6E5A3I36TRR73VNBOXNIQP4AMZDFZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/76YE7AM37MRU76XJV4M27CWDAMUGNRYK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSRPVJZL6DJFWKYRHMNJB7VCEUCBKRF5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHC6IUU7CLRQ3QLPWUXLONSG3SXFTR47"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT5U223OE5ZOUHZAZYSYSWVJQIKDE73E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT5WQB7Z3CXOWVBD2AFAHYPA5ONYFFZ4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD7FTLJOIGMUSCDR3JAN6WRFHJEE4PH5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZYJSGLSCQOKXXFVJVJQAXLEOJBIWGEL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TD7JDDKJXK6D26XAN3YRFNM2LAJHT5UO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMWPRAAJS7I6U3U45V7GZVXWNSECI22M"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4ZZV4CDFRMTPDBI7C5L43RFL3XLIGUY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBPDVCDIUCEBE7C4NAGNA2KQJYOTPBAZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V7ZUJDHK7KNG6SLIFXW7MNZ6O2PUJYK6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEOAJWGGY55QU35UM2OVZATBW5MX2OZD"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:7323"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-10735"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834423"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VCU6EVQDIXNCEDJUCTFIER2WVNNDTYZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/32AAQKABEKFCB5DDV5OONRZK6BS23HPW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4EWKR2SPX3JORLWCXFY3KN2U5B5CIUQQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XL6E5A3I36TRR73VNBOXNIQP4AMZDFZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/76YE7AM37MRU76XJV4M27CWDAMUGNRYK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSRPVJZL6DJFWKYRHMNJB7VCEUCBKRF5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHC6IUU7CLRQ3QLPWUXLONSG3SXFTR47"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OT5U223OE5ZOUHZAZYSYSWVJQIKDE73E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OT5WQB7Z3CXOWVBD2AFAHYPA5ONYFFZ4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD7FTLJOIGMUSCDR3JAN6WRFHJEE4PH5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZYJSGLSCQOKXXFVJVJQAXLEOJBIWGEL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TD7JDDKJXK6D26XAN3YRFNM2LAJHT5UO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMWPRAAJS7I6U3U45V7GZVXWNSECI22M"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4ZZV4CDFRMTPDBI7C5L43RFL3XLIGUY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBPDVCDIUCEBE7C4NAGNA2KQJYOTPBAZ"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6M57-8R3P-PQX6
Vulnerability from github – Published: 2026-05-29 19:05 – Updated: 2026-06-12 19:31Summary
Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer (*mut Producer<T>) into the bytes of a value-level Consumer<T>. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level of indirection off.
The resulting Consumer<T> has its internal Arc::ptr set to the address of the producer field on the Sender, not the real ArcInner<Buffer<T>>. Every subsequent consumer.try_pop() walks Buffer<T> fields at offsets that lie inside the Sender<T> struct (over send_new, inner) and adjacent memory, an out-of-bounds read. When the fake Consumer<T> is dropped at the end of the unsafe block, its Drop calls Arc::drop_in_place on a non-ArcInner address: it decrements bytes that the type system treats as strong_count: AtomicUsize but that are actually the real Arc::ptr value of the Sender, and at zero count it calls dealloc(Layout::for_value(...)) on an address the allocator never returned.
Reachable from 100% safe Rust through the canonical channel pattern: a tx.send(msg) that races with rx.drop(). This is consistent with the SIGSEGV that issue #3 reports in your own test suite.
Affected code (0.2.0, master at 23a9ce7)
```rust // src/lib.rs:384-401 DISCONNECTED => { self.inner.counter.store (DISCONNECTED, Ordering::SeqCst); // We want to guarantee if a message was not received that we get it // back; since spsc::{Producer,Consumer} have the same // internal representation (as a singleton struct containing Arc // >), we can safely transmute the producer in order to // pop the message back if it was orphaned. unsafe { let consumer : spsc::Consumer = std::mem::transmute (self.producer.get()); // <-- POINTER, not value let first = consumer.try_pop(); let second = consumer.try_pop(); assert!(second.is_none()); // <-- line 396; smoking-gun assert if let Some(t) = first { return Err (SendError (t)) } } }, self.producer is UnsafeCell> (line 29). UnsafeCell::::get(&self) returns mut X, a raw pointer, 8 bytes on 64-bit. The signature of transmute is transmute::(src: Src) -> Dst, so the call expands to transmute::<mut spsc::Producer, spsc::Consumer>(self.producer.get()). 8 bytes of pointer are reinterpreted as the bytes of a Consumer.
In bounded-spsc-queue-0.4.0, both Producer and Consumer are newtypes around Arc>, one pointer wide. The destination value therefore has Arc::ptr == &mut Producer as *const ArcInner>. To be a valid Arc>, that pointer must point to ArcInner { strong: AtomicUsize, weak: AtomicUsize, data: Buffer }, but it actually points to the start of Sender (the producer field). The first 8 bytes there hold the real Arc::ptr. The fake Arc reads those bytes as strong_count. The fake try_pop() then reads Buffer head/tail/data slots starting at offset 16 inside the Sender, that is, inside the send_new and inner fields.
The author's intent (per the comment at lines 386-390) was a value-level transmute:
let producer_val: spsc::Producer = std::ptr::read(self.producer.get()); let consumer : spsc::Consumer = std::mem::transmute(producer_val); which is layout-sound iff Producer and Consumer have identical layouts (they do, both are single-Arc newtypes). The shipped code is one indirection off.
Reachability The branch is not reachable single-threaded. Receiver::drop (line 332) stores connected = false before setting counter = DISCONNECTED; Sender::send (line 359) early-returns on connected == false. The trigger is a TOCTOU race:
Sender's self.inner.connected.load(SeqCst) reads true. Receiver-drop runs: stores connected = false and counter.compare_exchange(_, DISCONNECTED, SeqCst, SeqCst). Sender's self.inner.counter.fetch_add(1, SeqCst) (line 379) sees DISCONNECTED and enters the unsafe block. Under heavy contention this reproduces ~3/10 trials in release mode.
Proof of concept (race shape) // Cargo.toml: unbounded-spsc = "0.2" use std::thread; use unbounded_spsc::channel;
fn main() { for trial in 0..500 { let (tx, rx) = channel::>(); let started = std::sync::Arc::new( std::sync::atomic::AtomicBool::new(false)); let s = started.clone(); let h = thread::spawn(move || { s.store(true, std::sync::atomic::Ordering::SeqCst); for _ in 0..10_000 { let _ = tx.send(Box::new(0xDEAD_BEEF)); } }); while !started.load(std::sync::atomic::Ordering::SeqCst) { std::hint::spin_loop(); } drop(rx); let _ = h.join(); eprintln!("trial {trial} ok"); } } Observed:
Release-mode (no sanitizer): Segmentation fault (core dumped) reliably within a few trials. The non-segfaulting trials are masked by the separate send_new.send(new_consumer).unwrap() panic, see Secondary defect below. -Zsanitizer=address -Zbuild-std (nightly): ASan reports stack-buffer-overflow / stack-use-after-scope from the fake-Consumer's try_pop walking off the Sender frame. This matches the SIGSEGV reported in your own issue #3.
Smoking-gun upstream evidence src/lib.rs:975 in the project's test suite carries a TODO:
// TODO: failures // - failed with assertion on line 394 in send fn // assert!(second.is_none()) That is the assertion site of the transmute block (line 396 in 0.2.0 / master). You have observed try_pop() returning a non-None value where logically there should be none, which is exactly what reading random bytes from the Sender's send_new / inner fields produces, and the symptom has been marked as a flaky test rather than recognised as UB.
Impact Reachable from 100% safe Rust. Concrete UB primitives:
OOB read of bytes adjacent to the Sender struct via fake Consumer::try_pop(). The popped T is returned through Err(SendError(t)) to safe-code, an allocator-layout-controlled leak of process memory. OOB write via fake Arc::drop AtomicUsize::fetch_sub on bytes that are actually the real Arc::ptr value of the Sender. Allocator corruption via fake Arc::drop calling dealloc(Layout::for_value(...)) on a non-allocated address. The Sender struct holds the real Arc immediately after the producer field; the deallocator call therefore uses a layout the allocator never allocated, which on glibc is a confirmed double-free / arbitrary-bucket-poisoning primitive, and on hardened allocators (jemalloc-secure, mimalloc-secure) is an immediate abort. Secondary defect (same call path, bonus) Sender::send line 369:
self.send_new.send(new_consumer).unwrap(); When the Sender's message queue is full, a fresh bounded_spsc_queue::Channel is allocated and the new Consumer is shipped over an std::sync::mpsc side-channel to the Receiver. If the Receiver has already been dropped, receive_new is gone and this unwrap() panics. The panic surfaces in your own test suite, issue #2 (tests::port_gone_concurrent panicked at src/lib.rs:369) and the in-source TODO at lines 365-368 already note the question "Are we sure that this is safe to unwrap or should we handle the result explicitly ?".
The fix is to return Err(SendError(t)) instead of unwrapping, same shape as the channel-closed result the function already returns on the connected-false path. This is not a memory-safety defect, only a panic, but it lives on the same TX/RX-race code path and a single coordinated patch can address both. Filing it here so we cover the full call site in one cycle.
Suggested patch (primary defect) Replace the pointer-as-value transmute with a value-level read and a ManuallyDrop to suppress the alias's Producer::drop on subsequent exit:
unsafe { use core::mem::ManuallyDrop;
// Sound value-level transmute: Producer<T> and Consumer<T> are both
// newtypes around Arc<Buffer<T>>, so the value layouts match.
// ptr::read takes ownership of the Producer's bytes without running
// Producer's Drop.
let producer_val: spsc::Producer<T> = std::ptr::read(self.producer.get());
let consumer : spsc::Consumer<T> = std::mem::transmute(producer_val);
let first = consumer.try_pop();
let second = consumer.try_pop();
assert!(second.is_none());
if let Some(t) = first {
return Err(SendError(t));
}
// consumer drops here; the same memory backs `producer`, so suppress
// the double Producer drop:
let _ = ManuallyDrop::new(consumer);
} Cleaner: restructure Sender to hold producer and consumer in a private enum Endpoint so no transmute is required, or use the bounded_spsc_queue::Producer::reclaim() escape hatch if available.
Suggested patch (secondary defect) if let Err(std::sync::mpsc::SendError(_)) = self.send_new.send(new_consumer) { // Receiver has been dropped: take the message back as the public // SendError, the same way the connected==false early-return does. return Err(SendError(t)); } Regression test (release-mode, race shape)
[test]
fn race_disconnect_does_not_corrupt_sender_or_abort() { for _ in 0..200 { let (tx, rx) = unbounded_spsc::channel::>(); let h = std::thread::spawn(move || { for _ in 0..10_000 { let _ = tx.send(Box::new(0xDEAD_BEEF)); } }); drop(rx); h.join().unwrap(); } } Reverse dependencies Two crates on crates.io depend on unbounded-spsc, both owned by you: apis (process-calculus framework) and gooey-rs (tile-UI library, unbounded-spsc gated behind opengl/fmod features). The OpenGL/FMOD callback-mailbox use is a natural rx-drop-during-tx-send scenario at scene-graph teardown. A single coordinated bump cycle is feasible.
Researcher Berkant Koc me@berkoc.com PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "unbounded-spsc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46690"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-415",
"CWE-704",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T19:05:21Z",
"nvd_published_at": "2026-06-12T16:16:29Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`Sender::send` in `src/lib.rs` contains an `unsafe` block in the `DISCONNECTED` arm that transmutes a **raw pointer** (`*mut Producer\u003cT\u003e`) into the bytes of a **value-level** `Consumer\u003cT\u003e`. The author\u0027s intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level of indirection off.\n\nThe resulting `Consumer\u003cT\u003e` has its internal `Arc::ptr` set to the address of the `producer` field on the `Sender`, not the real `ArcInner\u003cBuffer\u003cT\u003e\u003e`. Every subsequent `consumer.try_pop()` walks `Buffer\u003cT\u003e` fields at offsets that lie inside the `Sender\u003cT\u003e` struct (over `send_new`, `inner`) and adjacent memory, an out-of-bounds read. When the fake `Consumer\u003cT\u003e` is dropped at the end of the `unsafe` block, its `Drop` calls `Arc::drop_in_place` on a non-`ArcInner` address: it decrements bytes that the type system treats as `strong_count: AtomicUsize` but that are actually the real `Arc::ptr` value of the `Sender`, and at zero count it calls `dealloc(Layout::for_value(...))` on an address the allocator never returned.\n\nReachable from 100% safe Rust through the canonical channel pattern: a `tx.send(msg)` that races with `rx.drop()`. This is consistent with the SIGSEGV that issue #3 reports in your own test suite.\n\n## Affected code (0.2.0, master at `23a9ce7`)\n\n```rust\n// src/lib.rs:384-401\nDISCONNECTED =\u003e {\n self.inner.counter.store (DISCONNECTED, Ordering::SeqCst);\n // We want to guarantee if a message was not received that we get it\n // back; since spsc::{Producer,Consumer} have the same\n // internal representation (as a singleton struct containing Arc\n // \u003cBuffer \u003cT\u003e\u003e), we can safely transmute the producer in order to\n // pop the message back if it was orphaned.\n unsafe {\n let consumer : spsc::Consumer \u003cT\u003e\n = std::mem::transmute (self.producer.get()); // \u003c-- POINTER, not value\n let first = consumer.try_pop();\n let second = consumer.try_pop();\n assert!(second.is_none()); // \u003c-- line 396; smoking-gun assert\n if let Some(t) = first {\n return Err (SendError (t))\n }\n }\n},\nself.producer is UnsafeCell\u003cspsc::Producer\u003cT\u003e\u003e (line 29). UnsafeCell::\u003cX\u003e::get(\u0026self) returns *mut X, a raw pointer, 8 bytes on 64-bit. The signature of transmute is transmute::\u003cSrc, Dst\u003e(src: Src) -\u003e Dst, so the call expands to transmute::\u003c*mut spsc::Producer\u003cT\u003e, spsc::Consumer\u003cT\u003e\u003e(self.producer.get()). 8 bytes of pointer are reinterpreted as the bytes of a Consumer\u003cT\u003e.\n\nIn bounded-spsc-queue-0.4.0, both Producer\u003cT\u003e and Consumer\u003cT\u003e are newtypes around Arc\u003cBuffer\u003cT\u003e\u003e, one pointer wide. The destination value therefore has Arc::ptr == \u0026mut Producer\u003cT\u003e as *const ArcInner\u003cBuffer\u003cT\u003e\u003e. To be a valid Arc\u003cBuffer\u003cT\u003e\u003e, that pointer must point to ArcInner { strong: AtomicUsize, weak: AtomicUsize, data: Buffer\u003cT\u003e }, but it actually points to the start of Sender\u003cT\u003e (the producer field). The first 8 bytes there hold the real Arc::ptr. The fake Arc reads those bytes as strong_count. The fake try_pop() then reads Buffer\u003cT\u003e head/tail/data slots starting at offset 16 inside the Sender\u003cT\u003e, that is, inside the send_new and inner fields.\n\nThe author\u0027s intent (per the comment at lines 386-390) was a value-level transmute:\n\nlet producer_val: spsc::Producer\u003cT\u003e = std::ptr::read(self.producer.get());\nlet consumer : spsc::Consumer\u003cT\u003e = std::mem::transmute(producer_val);\nwhich is layout-sound iff Producer\u003cT\u003e and Consumer\u003cT\u003e have identical layouts (they do, both are single-Arc newtypes). The shipped code is one indirection off.\n\nReachability\nThe branch is not reachable single-threaded. Receiver::drop (line 332) stores connected = false before setting counter = DISCONNECTED; Sender::send (line 359) early-returns on connected == false. The trigger is a TOCTOU race:\n\nSender\u0027s self.inner.connected.load(SeqCst) reads true.\nReceiver-drop runs: stores connected = false and counter.compare_exchange(_, DISCONNECTED, SeqCst, SeqCst).\nSender\u0027s self.inner.counter.fetch_add(1, SeqCst) (line 379) sees DISCONNECTED and enters the unsafe block.\nUnder heavy contention this reproduces ~3/10 trials in release mode.\n\nProof of concept (race shape)\n// Cargo.toml: unbounded-spsc = \"0.2\"\nuse std::thread;\nuse unbounded_spsc::channel;\n\nfn main() {\n for trial in 0..500 {\n let (tx, rx) = channel::\u003cBox\u003cu64\u003e\u003e();\n let started = std::sync::Arc::new(\n std::sync::atomic::AtomicBool::new(false));\n let s = started.clone();\n let h = thread::spawn(move || {\n s.store(true, std::sync::atomic::Ordering::SeqCst);\n for _ in 0..10_000 {\n let _ = tx.send(Box::new(0xDEAD_BEEF));\n }\n });\n while !started.load(std::sync::atomic::Ordering::SeqCst) {\n std::hint::spin_loop();\n }\n drop(rx);\n let _ = h.join();\n eprintln!(\"trial {trial} ok\");\n }\n}\nObserved:\n\nRelease-mode (no sanitizer): Segmentation fault (core dumped) reliably within a few trials. The non-segfaulting trials are masked by the separate send_new.send(new_consumer).unwrap() panic, see Secondary defect below.\n-Zsanitizer=address -Zbuild-std (nightly): ASan reports stack-buffer-overflow / stack-use-after-scope from the fake-Consumer\u0027s try_pop walking off the Sender frame.\nThis matches the SIGSEGV reported in your own issue #3.\n\nSmoking-gun upstream evidence\nsrc/lib.rs:975 in the project\u0027s test suite carries a TODO:\n\n// TODO: failures\n// - failed with assertion on line 394 in send fn\n// assert!(second.is_none())\nThat is the assertion site of the transmute block (line 396 in 0.2.0 / master). You have observed try_pop() returning a non-None value where logically there should be none, which is exactly what reading random bytes from the Sender\u0027s send_new / inner fields produces, and the symptom has been marked as a flaky test rather than recognised as UB.\n\nImpact\nReachable from 100% safe Rust. Concrete UB primitives:\n\nOOB read of bytes adjacent to the Sender\u003cT\u003e struct via fake Consumer\u003cT\u003e::try_pop(). The popped T is returned through Err(SendError(t)) to safe-code, an allocator-layout-controlled leak of process memory.\nOOB write via fake Arc::drop AtomicUsize::fetch_sub on bytes that are actually the real Arc::ptr value of the Sender.\nAllocator corruption via fake Arc::drop calling dealloc(Layout::for_value(...)) on a non-allocated address. The Sender struct holds the real Arc\u003cInner\u003e immediately after the producer field; the deallocator call therefore uses a layout the allocator never allocated, which on glibc is a confirmed double-free / arbitrary-bucket-poisoning primitive, and on hardened allocators (jemalloc-secure, mimalloc-secure) is an immediate abort.\nSecondary defect (same call path, bonus)\nSender::send line 369:\n\nself.send_new.send(new_consumer).unwrap();\nWhen the Sender\u0027s message queue is full, a fresh bounded_spsc_queue::Channel is allocated and the new Consumer\u003cT\u003e is shipped over an std::sync::mpsc side-channel to the Receiver. If the Receiver has already been dropped, receive_new is gone and this unwrap() panics. The panic surfaces in your own test suite, issue #2 (tests::port_gone_concurrent panicked at src/lib.rs:369) and the in-source TODO at lines 365-368 already note the question \"Are we sure that this is safe to unwrap or should we handle the result explicitly ?\".\n\nThe fix is to return Err(SendError(t)) instead of unwrapping, same shape as the channel-closed result the function already returns on the connected-false path. This is not a memory-safety defect, only a panic, but it lives on the same TX/RX-race code path and a single coordinated patch can address both. Filing it here so we cover the full call site in one cycle.\n\nSuggested patch (primary defect)\nReplace the pointer-as-value transmute with a value-level read and a ManuallyDrop to suppress the alias\u0027s Producer::drop on subsequent exit:\n\nunsafe {\n use core::mem::ManuallyDrop;\n\n // Sound value-level transmute: Producer\u003cT\u003e and Consumer\u003cT\u003e are both\n // newtypes around Arc\u003cBuffer\u003cT\u003e\u003e, so the value layouts match.\n // ptr::read takes ownership of the Producer\u0027s bytes without running\n // Producer\u0027s Drop.\n let producer_val: spsc::Producer\u003cT\u003e = std::ptr::read(self.producer.get());\n let consumer : spsc::Consumer\u003cT\u003e = std::mem::transmute(producer_val);\n\n let first = consumer.try_pop();\n let second = consumer.try_pop();\n assert!(second.is_none());\n if let Some(t) = first {\n return Err(SendError(t));\n }\n\n // consumer drops here; the same memory backs `producer`, so suppress\n // the double Producer drop:\n let _ = ManuallyDrop::new(consumer);\n}\nCleaner: restructure Sender\u003cT\u003e to hold producer and consumer in a private enum Endpoint\u003cT\u003e so no transmute is required, or use the bounded_spsc_queue::Producer\u003cT\u003e::reclaim() escape hatch if available.\n\nSuggested patch (secondary defect)\nif let Err(std::sync::mpsc::SendError(_)) = self.send_new.send(new_consumer) {\n // Receiver has been dropped: take the message back as the public\n // SendError, the same way the connected==false early-return does.\n return Err(SendError(t));\n}\nRegression test (release-mode, race shape)\n#[test]\nfn race_disconnect_does_not_corrupt_sender_or_abort() {\n for _ in 0..200 {\n let (tx, rx) = unbounded_spsc::channel::\u003cBox\u003cu64\u003e\u003e();\n let h = std::thread::spawn(move || {\n for _ in 0..10_000 {\n let _ = tx.send(Box::new(0xDEAD_BEEF));\n }\n });\n drop(rx);\n h.join().unwrap();\n }\n}\nReverse dependencies\nTwo crates on crates.io depend on unbounded-spsc, both owned by you: apis (process-calculus framework) and gooey-rs (tile-UI library, unbounded-spsc gated behind opengl/fmod features). The OpenGL/FMOD callback-mailbox use is a natural rx-drop-during-tx-send scenario at scene-graph teardown. A single coordinated bump cycle is feasible.\n\nResearcher\nBerkant Koc me@berkoc.com\nPGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6",
"id": "GHSA-6m57-8r3p-pqx6",
"modified": "2026-06-12T19:31:16Z",
"published": "2026-05-29T19:05:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spearman/unbounded-spsc/security/advisories/GHSA-6m57-8r3p-pqx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46690"
},
{
"type": "PACKAGE",
"url": "https://github.com/spearman/unbounded-spsc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race"
}
GHSA-6Q75-CF38-2P9P
Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:33Memory corruption in Audio due to incorrect type cast during audio use-cases.
{
"affected": [],
"aliases": [
"CVE-2022-33240"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T08:15:10Z",
"severity": "HIGH"
},
"details": "Memory corruption in Audio due to incorrect type cast during audio use-cases.",
"id": "GHSA-6q75-cf38-2p9p",
"modified": "2024-04-04T04:33:40Z",
"published": "2023-06-06T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33240"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6V85-364Q-MGV8
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote code execution. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); version 8.00 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2020-16103"
],
"database_specific": {
"cwe_ids": [
"CWE-704",
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T20:15:00Z",
"severity": "HIGH"
},
"details": "Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote code execution. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); version 8.00 and prior versions.",
"id": "GHSA-6v85-364q-mgv8",
"modified": "2022-05-24T17:36:17Z",
"published": "2022-05-24T17:36:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16103"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6XJH-63FF-92MC
Vulnerability from github – Published: 2026-02-27 03:30 – Updated: 2026-02-27 18:31Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.
The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.
The documentation advises validating untrusted CIDR strings with the cidrvalidate function. However, this mitigation is optional and not enforced by default. In practice, users may call addr2cidr or cidrlookup with untrusted input and without validation, incorrectly assuming that this is safe.
{
"affected": [],
"aliases": [
"CVE-2021-4456"
],
"database_specific": {
"cwe_ids": [
"CWE-704"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T01:16:13Z",
"severity": "MODERATE"
},
"details": "Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.\n\nThe functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.\n\nThe documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.",
"id": "GHSA-6xjh-63ff-92mc",
"modified": "2026-02-27T18:31:05Z",
"published": "2026-02-27T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4456"
},
{
"type": "WEB",
"url": "https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10"
},
{
"type": "WEB",
"url": "https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Net-CIDR/changes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.