CVE-2021-3910: NUL character in ROA causes OctoRPKI to crash
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.65191%
CWE
Published
11/10/2021
Updated
2/14/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/cloudflare/cfrpki | go | < 1.4.0 | 1.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper input validation in BER parsing. The commit 76f0f7a adds a bounds check to readObject() in ber.go, specifically addressing OOB reads when offset >= len(ber). The CWE-20 classification and crash scenario (processing NUL-containing ROA) align with missing bounds checks in this BER decoding function. While higher-level functions like BER2DER are listed as affected symbols, the root cause is clearly in readObject where the unsafe memory access occurred before the patch.