CVE-2026-46690: CWE-125: Out-of-bounds Read in spearman unbounded-spsc
unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
The spearman unbounded-spsc queue, an unbounded extension of bounded_spsc_queue, contains a vulnerability in versions 0.2.0 and prior where the sender::send method uses pointer-as-value transmute operations. This leads to an out-of-bounds read and a fake-Arc drop under concurrent transmit/receive race conditions. The issue is classified under CWE-125 (Out-of-bounds Read), CWE-415 (Double Free), CWE-704 (Incorrect Type Conversion or Cast), and CWE-787 (Out-of-bounds Write). No public patches or official remediation are available as of the publication date.
Potential Impact
The vulnerability allows an out-of-bounds read which can lead to memory corruption and a fake-Arc drop, potentially causing use-after-free or double free conditions. This can impact confidentiality, integrity, and availability, with the CVSS vector indicating local attack vector, high attack complexity, low privileges required, no user interaction, and resulting in low confidentiality and integrity impact but high availability impact.
Mitigation Recommendations
No official fix or patch is currently available. Users should monitor the vendor or project repository for updates and consider avoiding or limiting use of affected versions until a patch is released. Since the vulnerability requires local access and has high attack complexity, restricting access to trusted users may reduce risk.
CVE-2026-46690: CWE-125: Out-of-bounds Read in spearman unbounded-spsc
Description
unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.
CVSS v3.1
Score 5.8medium
Affected software
pkg:cargo/github/spearman/unbounded-spscRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The spearman unbounded-spsc queue, an unbounded extension of bounded_spsc_queue, contains a vulnerability in versions 0.2.0 and prior where the sender::send method uses pointer-as-value transmute operations. This leads to an out-of-bounds read and a fake-Arc drop under concurrent transmit/receive race conditions. The issue is classified under CWE-125 (Out-of-bounds Read), CWE-415 (Double Free), CWE-704 (Incorrect Type Conversion or Cast), and CWE-787 (Out-of-bounds Write). No public patches or official remediation are available as of the publication date.
Potential Impact
The vulnerability allows an out-of-bounds read which can lead to memory corruption and a fake-Arc drop, potentially causing use-after-free or double free conditions. This can impact confidentiality, integrity, and availability, with the CVSS vector indicating local attack vector, high attack complexity, low privileges required, no user interaction, and resulting in low confidentiality and integrity impact but high availability impact.
Mitigation Recommendations
No official fix or patch is currently available. Users should monitor the vendor or project repository for updates and consider avoiding or limiting use of affected versions until a patch is released. Since the vulnerability requires local access and has high attack complexity, restricting access to trusted users may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T21:46:51.548Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c2836e617e2d83487d71a
Added to database: 6/12/2026, 3:39:34 PM
Last enriched: 6/12/2026, 3:56:33 PM
Last updated: 6/13/2026, 4:48:45 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.