7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21401

GHSA ID

GHSA-7mv5-5mxh-qg88

EPSS Score

0.42442%

CWE

CWE-763

Published

8/30/2024

Updated

8/30/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21401

CVE-2021-21401: nanopb vulnerable to invalid free() call with oneofs and PB_ENABLE_MALLOC

Impact

Decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.

Patches

Preliminary patch is available on git for 0.4.x and 0.3.x branches. The fix will be released in versions 0.3.9.8 and 0.4.5 once testing has been completed.

Workarounds

Following workarounds are available:

Set the option no_unions for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code.
Set the type of all fields inside the oneof to FT_POINTER. This ensures that the data contained inside the union is always a valid pointer.
Heap implementations that guard against invalid free() provide a partial mitigation. Depending on the message type, the pointer value may be attacker controlled and can be used to bypass heap protections.

References

Bug report: https://github.com/nanopb/nanopb/issues/647

For more information

If you have any questions or comments about this advisory, comment on the bug report linked above.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21401

GHSA ID

GHSA-7mv5-5mxh-qg88

EPSS Score

0.42442%

CWE

CWE-763

Published

8/30/2024

Updated

8/30/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nanopb	pip	>= 0.3.2, < 0.3.9.8	0.3.9.8
nanopb	pip	>= 0.4.0, < 0.4.5	0.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how oneof field switching was handled in pb_release_union_field. The commit diff shows a critical fix where pointer fields are explicitly initialized to NULL when switching oneof members. This addresses the core issue where previous non-pointer data could be misinterpreted as a pointer. The function's role in managing union field cleanup directly matches the vulnerability description of invalid pointer releases. The high confidence comes from the direct correlation between the patch location, commit message explanation, and the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t ***o*in* * sp**i*i**lly *orm** m*ss*** **n **us* inv*li* `*r**()` or `r**llo*()` **lls i* t** m*ss*** typ* *ont*ins *n `on*o*` *i*l*, *n* t** `on*o*` *ir**tly *ont*ins *ot* * point*r *i*l* *n* * non-point*r *i*l*. I* t** m*ss*** **t* *irst

Reasoning

T** vuln*r**ility st*ms *rom *ow on*o* *i*l* swit**in* w*s **n*l** in p*_r*l**s*_union_*i*l*. T** *ommit *i** s*ows * *riti**l *ix w**r* point*r *i*l*s *r* *xpli*itly initi*liz** to NULL w**n swit**in* on*o* m*m**rs. T*is ***r*ss*s t** *or* issu* w**

7.1

Basic Information

Concerned about an active attack path?

CVE-2021-21401: nanopb vulnerable to invalid free() call with oneofs and PB_ENABLE_MALLOC

Impact

Patches

Workarounds

References

For more information

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI