Skip to content

fix(deps): upgrade crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#1680

Merged
PurpleBooth merged 1 commit into
mainfrom
fix/crossbeam-epoch-0.9.20-rustsec-2026-0204
Jul 13, 2026
Merged

fix(deps): upgrade crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#1680
PurpleBooth merged 1 commit into
mainfrom
fix/crossbeam-epoch-0.9.20-rustsec-2026-0204

Conversation

@PurpleBooth

Copy link
Copy Markdown
Owner

Summary

Patches RUSTSEC-2026-0204 — an invalid pointer dereference in the fmt::Pointer impl for Atomic and Shared when the underlying pointer is invalid (e.g. Atomic::null / Shared::null).

Dependency chain

criterion = "=0.8.2" (dev-dependency)
  → rayon → rayon-core → crossbeam-deque → crossbeam-epoch v0.9.18

Changes

Cargo.lock-only update — no source code changes needed.

-name = "crossbeam-epoch"
-version = "0.9.18"
-checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+name = "crossbeam-epoch"
+version = "0.9.20"
+checksum = "2d6914041f254d6e9176c01941b21115dcfb7089e55135a35411081bd106ef3f"

Verification

  • cargo update -p crossbeam-epoch --precise 0.9.20 applied cleanly
  • cargo check passes
  • CI rust-check / security-audit passes

Context

This vulnerability is currently blocking all open renovate PRs (#1655#1678) which fail on the rust-check / security-audit job.

Patches RUSTSEC-2026-0204: invalid pointer dereference in
fmt::Pointer impl for Atomic and Shared when the underlying
pointer is invalid (e.g. Atomic::null / Shared::null).

Cargo.lock-only update; no source code changes needed.

crossbeam-rs/crossbeam#1276
@PurpleBooth PurpleBooth merged commit d33e505 into main Jul 13, 2026
19 checks passed
@PurpleBooth PurpleBooth deleted the fix/crossbeam-epoch-0.9.20-rustsec-2026-0204 branch July 13, 2026 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant