CVE-2021-21401 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-21401 PUBLISHED

Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, and the `oneof` directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.

EPSS 0.20% · 41.9th percentile

Risk Scores

EPSS Score

0.20%

41.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	nanopb	0, 0.4.1-1

Timeline

Mar 23, 2021 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Mar 5, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2021-21401 third-party-advisory
https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88 third-party-advisory
https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261 third-party-advisory
https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1 third-party-advisory
https://github.com/nanopb/nanopb/issues/647 third-party-advisory
https://ubuntu.com/security/notices/USN-6121-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2021-21401 third-party-advisory

Open in Interactive Console →