CVE-2021-20235
Description
A heap buffer overflow in ZeroMQ before 4.3.3 allows remote unauthenticated attackers to write arbitrary data when CURVE/ZAP authentication is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in ZeroMQ before 4.3.3 allows remote unauthenticated attackers to write arbitrary data when CURVE/ZAP authentication is disabled.
Vulnerability
The flaw resides in the static allocator in src/decoder_allocators.hpp of ZeroMQ (libzmq) versions before 4.3.3. The static allocator uses a fixed-size buffer (default 8192 bytes, configurable via ZMQ_IN_BATCH_SIZE). However, the decoder can be tricked into changing the recorded size of this buffer, leading to a heap-based buffer overflow when processing malformed ZMTP v1 packets [1][2].
Exploitation
An unauthenticated remote attacker can send a crafted ZMTP v1 packet that is not valid ZMTP v2/v3. By sending two messages larger than 8192 bytes, the decoder's recorded size is altered, causing the next message to overflow the static buffer. The attacker controls the content written to the overflowed memory. This attack is only possible if CURVE/ZAP authentication is not enabled, as ZMTP v1 peers are immediately rejected when CURVE/ZAP is active [2].
Impact
Successful exploitation allows the attacker to write arbitrary data to heap memory beyond the buffer, potentially leading to denial of service (application crash), data integrity compromise, and information disclosure. The greatest impact is on availability, integrity, and confidentiality [1][2].
Mitigation
The vulnerability is fixed in ZeroMQ version 4.3.3, released in 2021. The fix is implemented in commit #3902 [2]. Users should upgrade to 4.3.3 or later. As a workaround, enable CURVE/ZAP authentication on public endpoints, which prevents ZMTP v1 peers from being processed [2]. Fedora packages were updated in FEDORA-2021-8b3202b783 [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- zeromq/zeromq serverdescription
Patches
204f5bbedee58Finalize changelog for 4.3.3
1 file changed · +1 −1
NEWS+1 −1 modified@@ -1,4 +1,4 @@ -0MQ version 4.3.x stable, released on 20xx/xx/xx +0MQ version 4.3.3 stable, released on 2020/09/07 ================================================ * Security advisories:
28cb820f4f38Merge pull request #3902 from bluca/fuzzers
2 files changed · +4 −1
src/decoder_allocators.hpp+2 −1 modified@@ -58,7 +58,8 @@ class c_single_allocator std::size_t size () const { return _buf_size; } - void resize (std::size_t new_size_) { _buf_size = new_size_; } + // This buffer is fixed, size must not be changed + void resize (std::size_t new_size_) { LIBZMQ_UNUSED (new_size_); } private: std::size_t _buf_size;
tests/testutil.cpp+2 −0 modified@@ -233,10 +233,12 @@ void setup_test_environment (int timeout_seconds_) // abort test after 121 seconds alarm (121); #else +#if !defined ZMQ_DISABLE_TEST_TIMEOUT // abort test after timeout_seconds_ seconds alarm (timeout_seconds_); #endif #endif +#endif #if defined __MVS__ // z/OS UNIX System Services: Ignore SIGPIPE during test runs, as a // workaround for no SO_NOGSIGPIPE socket option.
Vulnerability mechanics
Root cause
"The static allocator's resize method updates the stored buffer size without actually resizing the underlying fixed buffer, causing a mismatch that leads to out-of-bounds writes."
Attack vector
A remote, unauthenticated attacker sends a crafted ZMTP v1 handshake message that triggers a resize of the static allocator. Because `resize()` updates the stored size but the buffer remains fixed, subsequent operations that use the stored size can write beyond the buffer boundary. This results in a buffer overflow WRITE of arbitrary data. The attack is only possible when CURVE/ZAP authentication is not enabled, as the vulnerable code path is reached before authentication completes.
Affected code
The flaw is in `src/decoder_allocators.hpp` in the `c_single_allocator` class. The `resize()` method previously wrote the new size into `_buf_size` even though the underlying buffer is a fixed-size static buffer. This mismatch between the stored size and the actual buffer capacity is the root cause [patch_id=2271412].
What the fix does
The patch changes the `resize()` method in `c_single_allocator` to ignore the `new_size_` parameter entirely by wrapping it with `LIBZMQ_UNUSED`. This prevents the stored `_buf_size` from being changed, ensuring it always reflects the actual fixed buffer capacity. The comment added — "This buffer is fixed, size must not be changed" — documents this invariant. No other code changes are needed because the allocator's buffer is genuinely static and should never be resized.
Preconditions
- configCURVE/ZAP authentication must not be enabled on the server
- networkAttacker must be able to send a crafted ZMTP v1 handshake message to the server
- authNo authentication required (unauthenticated attacker)
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.