CVE-2021-22547

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-22547
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22547.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-22547
Published
2021-05-04T13:15:07.427Z
Modified
2026-04-11T13:53:50.075676Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.

References

Affected packages

Git / github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c

Affected ranges

Type
GIT
Repo
https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
041656933586e43cc24388a54781730df55ad567
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.3"
        }
    ]
}

Affected versions

v0.*
v0.7.0
v1.*
v1.0.0
v1.0.1
v1.0.2

Database specific

vanir_signatures_modified 
"2026-04-11T13:53:50Z"
vanir_signatures 
[
    {
        "id": "CVE-2021-22547-31b8d899",
        "target": {
            "file": "src/bsp/platform/posix/iotc_bsp_io_fs_posix.c",
            "function": "iotc_bsp_io_fs_posix_file_list_cnd"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "81785243033371308374503153215231695397",
            "length": 165.0
        },
        "signature_type": "Function",
        "source": "https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2021-22547-874992c4",
        "target": {
            "file": "src/bsp/platform/posix/iotc_bsp_io_fs_posix.c"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "154520739660189784901966324150758638933",
                "73779243641174834581237016007137610446",
                "332280061345850075723924269273142684964",
                "23178749078016402609857265411199487098",
                "106734765140754118371115303880259937921",
                "157378817599033597257474335005899545949",
                "91302717702408768029480654618892259803",
                "237802977672296311890087986890013576434",
                "297559001312339072529567236628134153856",
                "228804596456885972394762114957055457281",
                "46042615775042973353065746876242525988",
                "88428684234551885819554274655906803443",
                "242014315865988174451165653086508710578",
                "70290611407254847305754130648101002343",
                "311994129233977358944167620534827867036",
                "75642438441162282818715867655022797872",
                "85376420511074102028878630890651402433",
                "329770365037688330305954418172350701236",
                "94831048845955362766972986112639669163",
                "135258534094935864412912144788733055955",
                "290902559063257559347795521844359594116",
                "63334026321291143773962622388952437237",
                "314337525011903658388019391116883003426",
                "241452838143252883186949712055667861062",
                "332408072144918446484233952960141246348",
                "22709596164186350394636582698431471302",
                "305499280918541599809956146878448618225",
                "75683643666643013779052745409325338881",
                "6625582910777098001235839683297809587",
                "116574443653615237781893163561997087521",
                "303516927088387121028371787603923307849",
                "16123746244691189924587426833252017464",
                "147897860568757534659374081872112837642",
                "8843517423325356088080231983245434598",
                "85248476133574186698897706923802662817",
                "308046593632638019939742041239483657793",
                "9263454890163760079354273317049955333",
                "70819309493723136236345627643723446439",
                "51164847599284191885885062630413639915",
                "286371897568724442639898995224492030145",
                "250567565249709496221163207054119116201",
                "222318312243355462968457794031306229917",
                "226519186825686807340162649562179886582",
                "107700905158585460833568366276399287882",
                "45702605885793645418694886424159826139",
                "250879350739468555906060520571909077747",
                "279497880989033044598931373299732771540",
                "271332423570115634494935068331584663387",
                "334129320211840373534797435059318544521",
                "71773132323011492865338065791097292950",
                "21486485623298308870377198672587852745",
                "70016109924917589905227741377867047360",
                "85248476133574186698897706923802662817",
                "25464170109051115981488598530160260674",
                "131431521367589128218740107510730660987",
                "301883733090948997950782892304877968010",
                "286371897568724442639898995224492030145",
                "250567565249709496221163207054119116201",
                "222318312243355462968457794031306229917",
                "91871450513783540471962003519681145159",
                "74533233234458292107996033983798791293",
                "67091906501119797987231072402649505155",
                "127082854245403631455401002088397857670",
                "233311044236495511514506116053573101520",
                "109904400905578488642805679279232196860",
                "3544272240882948774579415889800835798",
                "175117090635937339776074822795079269463",
                "339952933996038635524053390006252800278",
                "157442388487921027478860778599584146397",
                "111732379760599121986430093099052163616",
                "85248476133574186698897706923802662817",
                "25464170109051115981488598530160260674",
                "123065547557772955286565704251106018136",
                "13517302206781727573400364541423848655",
                "46361560389920327522461778428177591076",
                "160036893375612424274010059246114347372",
                "250567565249709496221163207054119116201",
                "222318312243355462968457794031306229917",
                "276606002238836281268235344059077670773",
                "124754059596687926711914027693153909453",
                "283426535801324251717992561001525334489",
                "958771317813386280284592312825740522",
                "256888034547999906267126619734756571552"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2021-22547-8ee74583",
        "target": {
            "file": "src/bsp/platform/posix/iotc_bsp_io_fs_posix.c",
            "function": "iotc_bsp_io_fs_close"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "68907939495310070813791418474976135519",
            "length": 768.0
        },
        "signature_type": "Function",
        "source": "https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22547.json"