Memory over-allocation in evm crate
Description
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use evm_core::Memory::copy_large, the evm crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit 19ade85. Users should upgrade to ==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1. There are no workarounds. Please upgrade your evm crate version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
evm crate memory over-allocation via specific opcodes leading to DoS; fixed in versions 0.21.1, 0.23.1, 0.24.1, 0.25.1, 0.26.1+.
Vulnerability
In the evm crate (Rust Ethereum Virtual Machine) prior to the patch, the evm_core::Memory::copy_large function can over-allocate memory when it is not needed. This occurs when executing specific EVM opcodes related to memory operations. The flaw was present in versions before the fix commit 19ade85 [1][2][3].
Exploitation
An attacker can craft EVM opcodes that trigger the copy_large function with an empty value vector, causing the crate to unnecessarily allocate memory. No authentication or special privileges are required; the attacker only needs to submit malicious bytecode to a system using the vulnerable evm crate [1][3].
Impact
Successful exploitation leads to a denial-of-service (DoS) condition due to excessive memory allocation, potentially exhausting system resources and crashing the application [1][3].
Mitigation
The fix was applied in commit 19ade85 [2]. Users should upgrade to versions ==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, or >=0.26.1 [1][3]. There are no workarounds; upgrading is the only remediation [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
evmcrates.io | < 0.21.1 | 0.21.1 |
evm-corecrates.io | < 0.21.1 | 0.21.1 |
evmcrates.io | >= 0.22.0, < 0.22.1 | 0.22.1 |
evmcrates.io | >= 0.23.0, < 0.23.1 | 0.23.1 |
evmcrates.io | >= 0.24.0, < 0.24.1 | 0.24.1 |
evmcrates.io | >= 0.25.0, < 0.25.1 | 0.25.1 |
evmcrates.io | >= 0.26.0, < 0.26.1 | 0.26.1 |
evm-corecrates.io | >= 0.22.0, < 0.22.1 | 0.22.1 |
evm-corecrates.io | >= 0.23.0, < 0.23.1 | 0.23.1 |
evm-corecrates.io | >= 0.24.0, < 0.24.1 | 0.24.1 |
evm-corecrates.io | >= 0.25.0, < 0.25.1 | 0.25.1 |
evm-corecrates.io | >= 0.26.0, < 0.26.1 | 0.26.1 |
Affected products
3- ghsa-coords2 versions
< 0.21.1+ 1 more
- (no CPE)range: < 0.21.1
- (no CPE)range: < 0.21.1
- rust-blockchain/evmv5Range: < 0.21.1
Patches
119ade858c430Skip setting memory value if the value vec is empty
1 file changed · +4 −0
core/src/memory.rs+4 −0 modified@@ -105,6 +105,10 @@ impl Memory { value: &[u8], target_size: Option<usize> ) -> Result<(), ExitFatal> { + if value.is_empty() { + return Ok(()) + } + let target_size = target_size.unwrap_or(value.len()); if offset.checked_add(target_size)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4jwq-572w-4388ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29511ghsaADVISORY
- crates.io/crates/evmmitrex_refsource_MISC
- github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8ddghsax_refsource_MISCWEB
- github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.