CVE-2021-21401
Description
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nanopbPyPI | >= 0.3.2, < 0.3.9.8 | 0.3.9.8 |
nanopbPyPI | >= 0.4.0, < 0.4.5 | 0.4.5 |
Affected products
3- ghsa-coords2 versions
>= 0.3.2, < 0.3.9.8+ 1 more
- (no CPE)range: >= 0.3.2, < 0.3.9.8
- (no CPE)range: < 0.4.5-1.3
Patches
Vulnerability mechanics
References
8- github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261nvdPatchThird Party AdvisoryWEB
- github.com/nanopb/nanopb/issues/647nvdExploitIssue TrackingThird Party AdvisoryWEB
- github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88nvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-7mv5-5mxh-qg88ghsaADVISORY
- github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txtnvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-21401ghsaADVISORY
- github.com/nanopb/nanopb/commit/4a375a560651a86726e5283be85a9231fd0efe9cghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/nanopb/PYSEC-2021-432.yamlghsaWEB
News mentions
0No linked articles in our index yet.