RUSTSEC-2021-0093: 
Rust vulnerability analysis and mitigation

crossbeam-deque, a Rust package for work-stealing deques used in task schedulers, was found to contain a race condition vulnerability in versions prior to 0.7.4 and 0.8.0. The vulnerability was assigned CVE-2021-32810 and tracked as RUSTSEC-2021-0093. The issue affects crates utilizing specific Stealer methods including steal, stealbatch, and stealbatchandpop (GitHub Advisory).

The vulnerability manifests as a race condition where tasks in the worker queue can be popped twice, while other tasks are forgotten and never popped. This behavior occurs specifically when using the Stealer::steal, Stealer::stealbatch, or Stealer::stealbatchandpop methods (GitHub Advisory).

The impact of this vulnerability is significant, particularly when tasks are allocated on the heap. In such cases, the double-popping of tasks can lead to double-free vulnerabilities and memory leaks. Even in cases where tasks are not heap-allocated, the issue can cause logical bugs in the affected applications (GitHub Advisory).

The vulnerability has been patched in crossbeam-deque versions 0.8.1 and 0.7.4. Users are advised to upgrade to these or later versions to mitigate the issue. The fix was implemented by Maor Kleinberger (GitHub Advisory, Debian Tracker).