Vyper vulnerable to memory corruption in certain builtins utilizing `msize`
CVE-2023-42443

8.1HIGH

Key Information:

Vendor

Vyperlang

Status
Vyper
Vendor
CVE Published:
18 September 2023

What is CVE-2023-42443?

The Vyper smart contract language, widely used for writing Ethereum smart contracts, is affected by a memory corruption vulnerability in versions up to 0.3.9. Under specific conditions, the builtins raw_call, create_from_blueprint, and create_copy_of can experience corruption of the memory they utilize. For instance, when using raw_call, if the data argument corresponds to msg.data and a complex expression is passed as value or gas, it may lead to corrupted calldata in the associated sub-context. Similarly, for the builtins create_from_blueprint and create_copy_of, conditions involving complex expressions for value or salt can result in incorrect bytecode being deployed. As of now, no patches are available, and further investigations are ongoing to identify possibly additional scenarios that could trigger this corruption. Users are advised to cache complex expressions in memory prior to invoking these builtins to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vyper <= 0.3.9

References

https://github.com/vyperlang/vyper/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/vyperlang/vyper/issues/3609
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.