Description
unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.
Published: 2026-06-12
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The unbounded_spsc queue, for releases 0.2.0 and earlier, contains a flaw in the Sender::send implementation where a pointer is transmuted as a value. This mis‑typed transmute leads to an out‑of‑bounds read and a fake Arc drop when a transmit and receive operation race. The code paths involved have been classified as CWE‑125, CWE‑415, CWE‑704, and CWE‑787. The resulting uncontrolled memory corruption could allow leaking or corrupting data or cause the process to terminate. The CVSS score of 5.8 reflects moderate severity.

Affected Systems

The affected product is spearman's unbounded‑spsc Rust library. Versions 0.2.0 and earlier are known to contain the flaw; the status of later releases is unknown because the advisory does not provide version comparisons beyond 0.2.0.

Risk and Exploitability

The EPSS score is below 1 %, indicating an unlikely exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a concurrent transmit/receive race on the queue, which an attacker could trigger only if they have influence over the application’s concurrent execution environment. The attack vector therefore is inferred to be a race condition that must occur between a sender and a receiver during operation.

Generated by OpenCVE AI on June 12, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If your application uses spearman::unbounded‑spsc and no patch exists, consider removing or replacing the library with a safe alternative.
  • If an upgrade is not possible, serialize all queue operations or guard the queue with a mutex to eliminate the race condition that triggers the flaw and mitigate out‑of‑bounds memory corruption (CWE‑787).
  • Enable runtime sanitizers such as AddressSanitizer during development and testing so that out‑of‑bounds reads and improper type transmutations are detected, helping to surface any remaining instances of the vulnerability.

Generated by OpenCVE AI on June 12, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6m57-8r3p-pqx6 unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race
History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Spearman
Spearman unbounded-spsc
Vendors & Products Spearman
Spearman unbounded-spsc

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.
Title unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race
Weaknesses CWE-125
CWE-415
CWE-704
CWE-787
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Spearman Unbounded-spsc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:54:30.265Z

Reserved: 2026-05-15T21:46:51.548Z

Link: CVE-2026-46690

cve-icon Vulnrichment

Updated: 2026-06-12T15:53:25.480Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:29.197

Modified: 2026-06-12T17:16:23.640

Link: CVE-2026-46690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:02Z

Weaknesses