Lucene search
GoogleOSV:CVE-2021-21401HistoryMar 23, 2021 - 6:15 p.m.
CVE-2021-21401
2021-03-2318:15:13
Google
osv.dev
3
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.
| CPE | Name | Operator | Version |
|---|---|---|---|
| nanopb | eq | 0.4.4 | |
| nanopb | eq | 0.4.1 | |
| nanopb | eq | 0.4.0 | |
| nanopb | eq | nanopb-0.4.0-de | |
| nanopb | eq | nanopb-0.4.3 | |
| nanopb | eq | nanopb-0.4.0 | |
| nanopb | eq | nanopb-0.4.1 | |
| nanopb | eq | nanopb-0.4.2 | |
| nanopb | eq | 0.4.2 | |
| nanopb | eq | nanopb-0.4.4 |
Related
osv
osv
PYSEC-2021-432
2021-03-23 18:15:00
nanopb vulnerabilities
2023-05-30 16:09:29
nvd
nvd
CVE-2021-21401
2021-03-23 18:15:13
cve
cve
CVE-2021-21401
2021-03-23 18:15:13
debiancve
debiancve
CVE-2021-21401
2021-03-23 18:15:13
veracode
veracode
Denial Of Service (DoS)
2021-04-16 21:59:43
prion
prion
Null pointer dereference
2021-03-23 18:15:00
cvelist
cvelist
CVE-2021-21401 Invalid free() call in Nanopb
2021-03-23 17:45:19
ubuntucve
ubuntucve
CVE-2021-21401
2021-03-23 00:00:00
nessus
nessus
Ubuntu 20.04 ESM : Nanopb vulnerabilities (USN-6121-1)
2023-05-30 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6121-1)
2023-05-31 00:00:00
ubuntu
ubuntu
Nanopb vulnerabilities
2023-05-30 00:00:00