Heap-Based Buffer Overflow in wolfMQTT from wolfSSL
CVE-2021-45933

5.5MEDIUM

Key Information:

Vendor
Wolfssl
Status
WolfMQtt
Vendor
CVE Published:
1 January 2022

Summary

wolfMQTT version 1.9 contains a critical vulnerability that allows a heap-based buffer overflow in the MqttDecode_Publish function. This issue can be triggered during the decoding of publish packets, leading to potential memory corruption and arbitrary code execution. The vulnerability originates from improper validation of input sizes, specifically an overflow of 8 bytes, impacting the overall integrity of the MQTT protocol implementation. Users of affected versions are advised to update to mitigate risks associated with this security flaw.

References

https://github.com/wolfSSL/wolfMQTT/commit/84d4b53122e0fa...
x_refsource_MISC
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/...
x_refsource_MISC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38237
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.