ARM mbed-ualloc memory library Integer Overflow or Wraparound
CVE-2021-27433

7.3HIGH

Key Information:

Vendor: Arm
Status: Mbed-ualloc Memory Library
Vendor: CVE Published:; 3 May 2022

Summary

ARM mbed-ualloc memory library version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

Affected Version(s)

mbed-ualloc memory library 1.3.0

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-04

x_refsource_CONFIRM

https://github.com/ARMmbed/mbed-os/pull/14408

x_refsource_CONFIRM

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2022
Vulnerability Reserved
Feb 19, 2021

Credit

David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA.