First published: Mon Nov 20 2023(Updated: )
Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
Ti Real-time Operating System | ||
Any of | ||
Ti Cc3200 | ||
Ti Cc3220r | ||
Ti Cc3220s | ||
Ti Cc3220sf | ||
Ti Cc3230s | ||
Ti Cc3230sf | ||
Ti Cc3235s | ||
Ti Cc3235sf | ||
Ti Simplelink Cc13xx Software Development Kit | <4.40.00 | |
Ti Simplelink Cc26xx Software Development Kit | <4.40.00 | |
Ti Simplelink Cc32xx Software Development Kit | <4.10.03 | |
Ti Simplelink Msp432e401y | ||
Ti Simplelink Msp432e411y | ||
Multiple Amazon FreeRTOS, Version 10.4.1 | ||
Multiple Apache Nuttx OS, Version 9.1.0 | ||
Multiple ARM CMSIS-RTOS2, versions prior to 2.1.3 | ||
Multiple ARM Mbed OS, Version 6.3.0 | ||
Multiple ARM mbed-ualloc, Version 1.3.0 | ||
Multiple BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier | ||
Multiple BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262 | ||
Multiple BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 A full list of affected QNX products and versions is available here | ||
Multiple A full list of affected QNX products and versions is available here | ||
Multiple Cesanta Software Mongoose OS, v2.17.0 | ||
Multiple eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 | ||
Multiple Google Cloud IoT Device SDK, Version 1.0.2 | ||
Multiple Media Tek LinkIt SDK, versions prior to 4.6.1 | ||
Multiple Micrium OS, Versions 5.10.1 and prior | ||
Multiple Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00 | ||
Multiple NXP MCUXpresso SDK, versions prior to 2.8.2 | ||
Multiple NXP MQX, Versions 5.1 and prior | ||
Multiple Redhat newlib, versions prior to 4.0.0 | ||
Multiple RIOT OS, Version 2020.01.1 | ||
Multiple Samsung Tizen RT RTOS, versions prior 3.0.GBB | ||
Multiple TencentOS-tiny, Version 3.1.0 | ||
Multiple Texas Instruments CC32XX, versions prior to 4.40.00.07 | ||
Multiple Texas Instruments SimpleLink MSP432E4XX | ||
Multiple Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 | ||
Multiple Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 | ||
Multiple Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 | ||
Multiple Uclibc-NG, versions prior to 1.0.36 | ||
Multiple Windriver VxWorks, prior to 7.0 | ||
Multiple Zephyr Project RTOS, versions prior to 2.5 |
Texas Instruments CC32XX – Update to v4.40.00.07 Texas Instruments SimpleLink CC13X0 – Update to v4.10.03 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html Texas Instruments SimpleLink CC13X2-CC26X2 – Update to v4.40.00 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html Texas Instruments SimpleLink CC2640R2 – Update to v4.40.00 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html Texas Instruments SimpleLink MSP432E4 – Confirmed. No update currently planned
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22636 is a vulnerability in Texas Instruments TI-RTOS that can result in code execution due to an integer overflow vulnerability in 'HeapMem_allocUnprotected'.
CVE-2021-22636 affects Texas Instruments TI-RTOS when configured to use the HeapMem heap.
CVE-2021-22636 has a severity level of 7.4 (High).
To fix CVE-2021-22636, users should update to the latest version of Texas Instruments TI-RTOS and apply any patches or security updates provided by the vendor.
More information about CVE-2021-22636 can be found on the CISA website and the Texas Instruments website.