CVE-2021-31572
Description
Integer overflow in FreeRTOS stream buffer allocation allows heap corruption, fixed in version 10.4.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in FreeRTOS stream buffer allocation allows heap corruption, fixed in version 10.4.3.
Vulnerability
The integer overflow occurs in prvInitialiseNewStreamBuffer() in stream_buffer.c of FreeRTOS Kernel before version 10.4.3. When calculating the memory allocation size, xBufferSizeBytes is incremented by 1 and then added to sizeof( StreamBuffer_t ). If xBufferSizeBytes is large (e.g., close to SIZE_MAX), the addition can overflow, resulting in a smaller-than-expected allocation. This leads to a heap buffer overflow when the stream buffer is used. The fix adds an overflow check before the increment [1].
Exploitation
An attacker would need to control the xBufferSizeBytes parameter passed to the stream buffer creation function. This could be achieved if the application accepts user input for buffer sizes. No authentication is required if the vulnerable function is exposed to untrusted data. The attacker triggers the overflow by providing a large size value that causes the integer overflow during allocation. The subsequent use of the undersized buffer can corrupt heap metadata or adjacent memory.
Impact
Successful exploitation can lead to heap corruption, potentially allowing an attacker to overwrite critical data structures. This may result in denial of service or arbitrary code execution within the context of the FreeRTOS kernel. The impact is limited to systems using the vulnerable stream buffer functionality.
Mitigation
The vulnerability is fixed in FreeRTOS Kernel version 10.4.3, released on 2021-04-22. Users should update to this version or later. The commit [1] introduces the overflow check. No workaround is available for earlier versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Amazon Web Services/FreeRTOS kerneldescription
- Range: <10.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer overflow in `prvInitialiseNewStreamBuffer()` when incrementing `xBufferSizeBytes` and adding `sizeof(StreamBuffer_t)` before calling `pvPortMalloc()`."
Attack vector
An attacker who can control the `xBufferSizeBytes` argument (e.g., through a crafted stream buffer creation request) can trigger an integer overflow when the value is incremented by 1 and then added to `sizeof(StreamBuffer_t)`. The overflow causes `pvPortMalloc()` to allocate a much smaller buffer than expected, leading to a heap buffer overflow when the stream buffer is subsequently written to. No authentication is required if the vulnerable API is exposed to untrusted input.
Affected code
The integer overflow occurs in `prvInitialiseNewStreamBuffer()` inside `stream_buffer.c`. The function increments `xBufferSizeBytes` before passing it to `pvPortMalloc()`, but prior to the patch no overflow check was performed on the addition `xBufferSizeBytes + 1 + sizeof(StreamBuffer_t)`.
What the fix does
The patch adds a guard `if( xBufferSizeBytes < ( xBufferSizeBytes + 1 + sizeof( StreamBuffer_t ) ) )` before performing the increment and allocation. If the addition would overflow (i.e., the result wraps around), the function sets `pucAllocatedMemory = NULL` instead of proceeding with a truncated allocation. This ensures that an undersized buffer is never allocated, preventing the subsequent heap corruption.
Preconditions
- inputThe attacker must be able to supply or influence the `xBufferSizeBytes` value passed to a stream buffer creation function, typically via an API exposed to untrusted input.
- configThe system must be running FreeRTOS Kernel before version 10.4.3.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/FreeRTOS/FreeRTOS-Kernel/commit/d05b9c123f2bf9090bce386a244fc934ae44db5bmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.