TROVE-2025-013 double-free in crossbeam-channel

crossbeam-channel has a double free, https://github.com/crossbeam-rs/crossbeam/pull/1187

The relevant version of crossbeam-channel has been yanked and a new version has been published. !2931 (merged) is the MR to update our Cargo.lock. The vulnerable versions of crossbeam are mentioned in the lockfiles of many earlier Arti releases.

The issue does not seem to be readily exploitable, if at all, so we're calling it Low.