CVE-2025-4574: 
Rust vulnerability analysis and mitigation

The vulnerability (CVE-2025-4574) affects the crossbeam-channel rust crate, specifically versions 0.5.12 through 0.5.14. The issue was discovered and disclosed on April 8, 2025, involving a race condition in the internal Channel type's Drop method that could lead to a double-free vulnerability, potentially resulting in memory corruption ([NVD], [Wiz Security], [Red Hat CVE]).

The vulnerability stems from a race condition in the discardallmessages method where two paths could lead to head.block being read, but only one would swap the value. This could result in discardallmessages observing a non-null block pointer and attempting to free it without setting head.block to null, leading to Channel::drop making a second attempt at dropping the same pointer. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L ([GitHub PR], [NVD]).

The vulnerability could result in memory corruption due to the double-free condition, potentially leading to program crashes or undefined behavior. The issue affects applications using the crossbeam-channel crate versions 0.5.12 through 0.5.14 ([Red Hat Bugzilla], [Wiz Security]).

The vulnerability has been fixed in crossbeam-channel version 0.5.15. Users are strongly recommended to upgrade to this version or later. The fix ensures proper handling of the head.block pointer to prevent the double-free condition ([GitHub PR], [Debian Security]).