CVE-2021-46102
Description
From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variable "addr" via "addr = (sym.st_value + refd_pa) as u64";
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in Solana rBPF 0.2.14-0.2.16 allows attackers to cause memory corruption via crafted ELF file.
Vulnerability
In Solana rBPF versions 0.2.14 through 0.2.16, the relocate function in src/elf.rs performs an integer overflow when adding sym.st_value and refd_pa without proper validation. The sym.st_value is read directly from the ELF file, and if it is sufficiently large, the addition overflows, leading to an incorrect address calculation [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted ELF binary with an oversized sym.st_value field. No authentication is required; the attacker only needs the ability to load and execute an eBPF program using the affected library. The overflow occurs during relocation, a standard step in loading the ELF [1].
Impact
Successful exploitation results in an integer overflow that produces an invalid memory address. This could lead to memory corruption, potentially enabling arbitrary code execution or information disclosure, depending on how the invalid address is subsequently used. The vulnerability has a CVSS score of 9.8 (Critical) [1].
Mitigation
The issue was fixed in version 0.2.17, released on December 7, 2021, via pull request #236 [3][4]. Users should upgrade to v0.2.17 or later. No workarounds are available for affected versions; updating is the recommended action [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
solana_rbpfcrates.io | >= 0.2.14, < 0.2.17 | 0.2.17 |
Affected products
2- Solana/rBPFdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-xwqr-xmgg-j69qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46102ghsaADVISORY
- blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159eeghsax_refsource_MISCWEB
- github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rsghsax_refsource_MISCWEB
- github.com/solana-labs/rbpf/pull/200ghsax_refsource_MISCWEB
- github.com/solana-labs/rbpf/pull/236ghsax_refsource_MISCWEB
- github.com/solana-labs/rbpf/releases/tag/v0.2.17ghsaWEB
News mentions
0No linked articles in our index yet.