CVE-2021-36155
Description
gRPC Swift version 1.1.0 and earlier allows uncontrolled resource consumption via arbitrary-length buffer allocation leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
gRPC Swift version 1.1.0 and earlier allows uncontrolled resource consumption via arbitrary-length buffer allocation leading to denial of service.
Vulnerability
LengthPrefixedMessageReader in gRPC Swift 1.1.0 and earlier (including 1.0.0, 1.1.0, and 1.1.1) does not limit the permitted length of received messages, allowing remote attackers to trigger allocation of arbitrarily large buffers, which causes uncontrolled resource consumption. The vulnerable code path is reachable in both client and server configurations when parsing gRPC messages [1][2].
Exploitation
An attacker with network access to a gRPC Swift endpoint (either as a client or server) can send a specially crafted message with an excessively large length prefix. The LengthPrefixedMessageReader processes the message and allocates a buffer of the declared size without validation, leading to memory exhaustion. No authentication or special privileges are required [1][2].
Impact
Successful exploitation results in denial of service due to exhaustion of memory resources on the target system. The attacker can cause the application to become unresponsive or crash, disrupting availability [1][2].
Mitigation
The issue is fixed in gRPC Swift version 1.2.0, which limits the permitted length of received messages [2][4]. No workaround is available; users must upgrade to the patched version [2]. The 1.x series is in maintenance mode, but security fixes are still applied [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grpc/grpc-swiftSwiftURL | < 1.2.0 | 1.2.0 |
Affected products
2- gRPC Swift/gRPC Swiftdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-rxmj-hg9v-vp3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36155ghsaADVISORY
- bugs.chromium.org/p/oss-fuzz/issues/detailghsax_refsource_MISCWEB
- github.com/grpc/grpc-swift/releasesmitrex_refsource_MISC
- github.com/grpc/grpc-swift/releases/tag/1.2.0ghsaWEB
- github.com/grpc/grpc-swift/security/advisories/GHSA-rxmj-hg9v-vp3pghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.