6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29511

GHSA ID

GHSA-4jwq-572w-4388

EPSS Score

0.58421%

CWE

CWE-770

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29511

CVE-2021-29511: Memory over-allocation in evm crate

Impact

Prior to the patch, when executing specific EVM opcodes related to memory operations that use evm_core::Memory::copy_large, the crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack.

Patches

The flaw was corrected in commit 19ade85. Users should upgrade to ==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1.

Workarounds

None. Please upgrade your evm crate version

References

Fix commit: https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd

For more information

If you have any questions or comments about this advisory:

Open an issue in evm repo
Email Wei

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29511

GHSA ID

GHSA-4jwq-572w-4388

EPSS Score

0.58421%

CWE

CWE-770

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
evm	rust	<= 0.21.0	0.21.1
evm-core	rust	<= 0.21.0	0.21.1
evm	rust	= 0.22.0	0.22.1
evm	rust	= 0.23.0	0.23.1
evm	rust	= 0.24.0	0.24.1
evm	rust	= 0.25.0	0.25.1
evm	rust	= 0.26.0	0.26.1
evm-core	rust	= 0.22.0	0.22.1
evm-core	rust	= 0.23.0	0.23.1
evm-core	rust	= 0.24.0	0.24.1
evm-core	rust	= 0.25.0	0.25.1
evm-core	rust	= 0.26.0	0.26.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly mentions memory over-allocation in evm_core::Memory::copy_large. The fix commit shows an added early return for empty values in this function, indicating the vulnerability stemmed from processing zero-length copies. The CWE-770 mapping confirms this is a resource allocation issue. The direct correlation between the vulnerability description, CWE mapping, and commit diff provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prior to t** p*t**, w**n *x**utin* sp**i*i* *VM op*o**s r*l*t** to m*mory op*r*tions t**t us* `*vm_*or*::M*mory::*opy_l*r**`, t** *r*t* **n ov*r-*llo**t* m*mory w**n it is not n*****, m*kin* it possi*l* *or *n *tt**k*r to p*r*orm **ni*l-o*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions m*mory ov*r-*llo**tion in `*vm_*or*::M*mory::*opy_l*r**`. T** *ix *ommit s*ows *n ***** **rly r*turn *or *mpty v*lu*s in t*is *un*tion, in*i**tin* t** vuln*r**ility st*mm** *rom pro**ssin* z*ro-l*n*t*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-29511: Memory over-allocation in evm crate

Impact

Patches

Workarounds

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI