5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26307

GHSA ID

GHSA-jrf8-cmgg-gv2m

EPSS Score

0.15529%

CWE

CWE-400

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-26307

CVE-2021-26307:
Error on unsupported architectures in raw-cpuid

native_cpuid::cpuid_count() exposes the unsafe __cpuid_count() intrinsic from core::arch::x86 or core::arch::x86_64 as a safe function, and uses it internally, without checking the safety requirement:

The CPU the program is currently running on supports the function being called.

CPUID is available in most, but not all, x86/x86_64 environments. The crate compiles only on these architectures, so others are unaffected. This issue is mitigated by the fact that affected programs are expected to crash deterministically every time.

The flaw has been fixed in v9.0.0, by intentionally breaking compilation when targeting SGX or 32-bit x86 without SSE. This covers all affected CPUs.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26307

GHSA ID

GHSA-jrf8-cmgg-gv2m

EPSS Score

0.15529%

CWE

CWE-400

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
raw-cpuid	rust	< 9.0.0	9.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from native_cpuid::cpuid_count() wrapping the unsafe __cpuid_count intrinsic from core::arch as a safe function. This violates Rust's safety requirements as it doesn't verify the CPU supports the CPUID instruction, which isn't available in all x86/x86_64 environments (e.g., SGX or 32-bit x86 without SSE). The CVE description explicitly identifies this function as problematic, and the fix involved adding compilation guards for affected architectures. While other functions had memory safety issues (fixed via #[repr(C)]), this function directly relates to the CVE-2021-26307 vulnerability through its unsafe exposure of CPU-dependent intrinsics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

n*tiv*_*pui*::*pui*_*ount() *xpos*s t** uns*** __*pui*_*ount() intrinsi* *rom *or*::*r**::x** or *or*::*r**::x**_** *s * s*** *un*tion, *n* us*s it int*rn*lly, wit*out ****kin* t** s***ty r*quir*m*nt: * T** *PU t** pro*r*m is *urr*ntly runnin* on su

Reasoning

T** vuln*r**ility st*ms *rom n*tiv*_*pui*::*pui*_*ount() wr*ppin* t** uns*** __*pui*_*ount intrinsi* *rom *or*::*r** *s * s*** *un*tion. T*is viol*t*s Rust's s***ty r*quir*m*nts *s it *o*sn't v*ri*y t** *PU supports t** *PUI* instru*tion, w*i** isn't

5.5

Basic Information

Concerned about an active attack path?

CVE-2021-26307: Error on unsupported architectures in raw-cpuid

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-26307:
Error on unsupported architectures in raw-cpuid

Vulnerability Intelligence
Miggo AI