Memory over-allocation in evm crate
CVE-2021-29511

6.5MEDIUM

Key Information:

Vendor

Rust-blockchain

Status
Evm
Vendor
CVE Published:
12 May 2021

What is CVE-2021-29511?

evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use evm_core::Memory::copy_large, the evm crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit 19ade85. Users should upgrade to ==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1. There are no workarounds. Please upgrade your evm crate version.

Affected Version(s)

evm < 0.21.1 < 0.21.1

evm = 0.22.0 = 0.22.0

evm = 0.23.0 = 0.23.0

References

https://github.com/rust-blockchain/evm/security/advisorie...
x_refsource_CONFIRM
https://github.com/rust-blockchain/evm/commit/19ade858c43...
x_refsource_MISC
https://crates.io/crates/evm
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.