CVE-2021-44144
Description
A heap-based buffer over-read in Croatia Control Asterix 2.8.1 allows remote attackers to crash the application via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer over-read in Croatia Control Asterix 2.8.1 allows remote attackers to crash the application via a crafted file.
Vulnerability
Croatia Control Asterix version 2.8.1 contains a heap-based buffer over-read vulnerability in the DataItemBits::getBits function within DataItemBits.cpp:125. The issue arises due to insufficient bounds checking when processing malformed ASTerix files, leading to reading beyond the allocated buffer [1], [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious ASTerix file. The provided proof-of-concept demonstrates that feeding a base64-decoded malformed file via standard input triggers the over-read, as shown by AddressSanitizer output [2]. No authentication or special network position is required; the application must process the crafted file.
Impact
Successful exploitation leads to a heap-buffer-over-read, which can cause the application to crash. This primarily results in denial of service. No code execution or privilege escalation is documented in available references [1], [2].
Mitigation
As of the latest available information, no official patch has been released for CVE-2021-44144. The vendor has not provided a fixed version. Users should exercise caution when processing untrusted ASTerix files and consider implementing input validation as a temporary workaround [1], [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
asterix_decoderPyPI | < 0.7.2 | 0.7.2 |
Affected products
2- Croatia Control/Asterixdescription
Patches
13f765d387d23Issue #183 Potential Heap-based Buffer Overflow
6 files changed · +12 −5
asterix/version.py+1 −1 modified@@ -1 +1 @@ -__version__ = '0.7.1' +__version__ = '0.7.2'
CMakeLists.txt+3 −0 modified@@ -27,6 +27,9 @@ set(EXECUTABLE_OUTPUT_PATH install) set(CMAKE_CXX_STANDARD 11) +#set (CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fno-omit-frame-pointer -fsanitize=address") +#set (CMAKE_LINKER_FLAGS_DEBUG "${CMAKE_LINKER_FLAGS_DEBUG} -fno-omit-frame-pointer -fsanitize=address") + include_directories(src/asterix) include_directories(src/engine) include_directories(src/main)
HISTORY+4 −1 modified@@ -249,4 +249,7 @@ Issue #178 Explicit items with more elements then in definition should be put to 2.8.1 (python_v0.7.1) Issue #180 Problem decoding repetitive data item I023/120 Service Statistics Issue #181 Add missing Single Antenna (SA) element in Data Item I021/008 for CAT021 v2.1 -Issue #182 convert timestamp to double, improves precision \ No newline at end of file +Issue #182 convert timestamp to double, improves precision + +2.8.2 (python_v0.7.2) +Issue #183 Potential Heap-based Buffer Overflow \ No newline at end of file
SECURITY.md+1 −1 modified@@ -2,4 +2,4 @@ ## Reporting a Vulnerability -Please report security issues to <email> +Please report security issues to damir dot salantic at gmail dot com
src/asterix/DataItemFormatExplicit.cpp+1 −0 modified@@ -68,6 +68,7 @@ bool DataItemFormatExplicit::getText(std::string &strResult, std::string &strHea // full length must be multiple of body length if (bodyLength == 0 || nFullLength % bodyLength != 0) { Tracer::Error("Wrong data length in Explicit. Needed=%d and there is %d bytes.", bodyLength, nFullLength); + return false; } std::string tmpStr = "";
src/main/version.h+2 −2 modified@@ -26,7 +26,7 @@ #ifndef VERSION_H #define VERSION_H -#define _VERSION 2.8.1 -#define _VERSION_STR "2.8.1" +#define _VERSION 2.8.2 +#define _VERSION_STR "2.8.2" #endif
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6mmf-v5q7-vw2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44144ghsaADVISORY
- github.com/CroatiaControlLtd/asterix/blob/daf33de522d1cdab0e941c025b89e18a0d4d42c6/README.mdghsaWEB
- github.com/CroatiaControlLtd/asterix/commit/3f765d387d239ccc44e278a2ffa600fb6a6587f9ghsaWEB
- github.com/CroatiaControlLtd/asterix/issues/183ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/asterix-decoder/PYSEC-2021-860.yamlghsaWEB
- web.archive.org/web/20221207104133/https://huntr.dev/bounties/1-other-CroatiaControlLtd/asterixghsaWEB
News mentions
0No linked articles in our index yet.