CVE-2021-21401
- Source
- https://cve.org/CVERecord?id=CVE-2021-21401
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21401.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21401
- Aliases
- Downstream
- Related
- Published
- 2021-03-23T18:15:13.160Z
- Modified
- 2026-02-13T08:42:40.877973Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid
free()orrealloc()calls if the message type contains anoneoffield, and theoneofdirectly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds. - References
-
- https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1
- https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
- https://github.com/nanopb/nanopb/issues/647
- https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
- https://github.com/nanopb/nanopb/issues/647
- https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
- https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
- https://github.com/nanopb/nanopb/issues/647
- https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
Affected packages
Git / github.com/nanopb/nanopb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nanopb/nanopb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
Affected versions
0.*
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
nanopb-0.*
nanopb-0.4.0
nanopb-0.4.0-dev
nanopb-0.4.1
nanopb-0.4.2
nanopb-0.4.3
nanopb-0.4.4
Database specific
vanir_signatures
[
{
"id": "CVE-2021-21401-1bc41359",
"signature_version": "v1",
"digest": {
"function_hash": "135569156852612219065699278227514311302",
"length": 325.0
},
"deprecated": false,
"source": "https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261",
"signature_type": "Function",
"target": {
"file": "pb_decode.c",
"function": "pb_release_union_field"
}
},
{
"id": "CVE-2021-21401-ba7b2709",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"61013708987579731352987091476408286170",
"327087506916403461653276454963703349803",
"44894250810108914257220512929796472898"
]
},
"deprecated": false,
"source": "https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261",
"signature_type": "Line",
"target": {
"file": "pb_decode.c"
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21401.json"