What is CVE-2021-21401?

CVE-2021-21401 is a high-severity vulnerability in Nanopb, classified under Release of Invalid Pointer or Reference. CVSS score: 7.1/10. Published 2021-03-23.

How severe is CVE-2021-21401?

High severity. CVSS v3 base score is 7.1 out of 10.

Is CVE-2021-21401 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Nanopb

CVE-2021-21401

Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `one…

EPSS: 0.008 (74.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L.

Affected products

Nanopb — versions >= 0.3.2, <= 0.3.9.7, >= 0.4.0, <= 0.4.4

Weakness classification (CWE)

CWE-763 — Release of Invalid Pointer or Reference

Public proof-of-concept exploits

References

github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88 (x_refsource_CONFIRM)
github.com/nanopb/nanopb/issues/647 (x_refsource_MISC)
github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261 (x_refsource_MISC)
github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELO… (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-21401?: CVE-2021-21401 is a high-severity vulnerability in Nanopb, classified under Release of Invalid Pointer or Reference. CVSS score: 7.1/10. Published 2021-03-23.
How severe is CVE-2021-21401?: High severity. CVSS v3 base score is 7.1 out of 10.
Is CVE-2021-21401 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.