CVE-2021-27421: NXP MCUXpresso SDK Integer Overflow or Wraparound
First published: Tue May 03 2022(Updated: )
NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nxp Mcuxpresso Software Development Kit | <2.8.2 | |
| Multiple Amazon FreeRTOS, Version 10.4.1 | ||
| Multiple Apache Nuttx OS, Version 9.1.0 | ||
| Multiple ARM CMSIS-RTOS2, versions prior to 2.1.3 | ||
| Multiple ARM Mbed OS, Version 6.3.0 | ||
| Multiple ARM mbed-ualloc, Version 1.3.0 | ||
| Multiple BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier | ||
| Multiple BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262 | ||
| Multiple BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 A full list of affected QNX products and versions is available here | ||
| Multiple A full list of affected QNX products and versions is available here | ||
| Multiple Cesanta Software Mongoose OS, v2.17.0 | ||
| Multiple eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 | ||
| Multiple Google Cloud IoT Device SDK, Version 1.0.2 | ||
| Multiple Media Tek LinkIt SDK, versions prior to 4.6.1 | ||
| Multiple Micrium OS, Versions 5.10.1 and prior | ||
| Multiple Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00 | ||
| Multiple NXP MCUXpresso SDK, versions prior to 2.8.2 | ||
| Multiple NXP MQX, Versions 5.1 and prior | ||
| Multiple Redhat newlib, versions prior to 4.0.0 | ||
| Multiple RIOT OS, Version 2020.01.1 | ||
| Multiple Samsung Tizen RT RTOS, versions prior 3.0.GBB | ||
| Multiple TencentOS-tiny, Version 3.1.0 | ||
| Multiple Texas Instruments CC32XX, versions prior to 4.40.00.07 | ||
| Multiple Texas Instruments SimpleLink MSP432E4XX | ||
| Multiple Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 | ||
| Multiple Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 | ||
| Multiple Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 | ||
| Multiple Uclibc-NG, versions prior to 1.0.36 | ||
| Multiple Windriver VxWorks, prior to 7.0 | ||
| Multiple Zephyr Project RTOS, versions prior to 2.5 |
Remedy
Update NXP MCUXpresso SDK to 2.9.0 or later
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-27421?
CVE-2021-27421 is a vulnerability in NXP MCUXpresso SDK versions prior to 2.8.2 that allows an attacker to access memory locations outside the bounds of a specified array.
How severe is CVE-2021-27421?
CVE-2021-27421 has a severity rating of 9.8 out of 10, indicating a critical vulnerability.
Which software versions are affected by CVE-2021-27421?
NXP MCUXpresso SDK versions prior to 2.8.2 are affected by CVE-2021-27421.
What is the impact of CVE-2021-27421?
CVE-2021-27421 can lead to unexpected behavior, such as segmentation faults, when assigning a specific block of memory from the heap.
How can CVE-2021-27421 be fixed?
To fix CVE-2021-27421, update to NXP MCUXpresso SDK version 2.8.2 or later.
- collector/nvd-index
- agent/type
- agent/author
- agent/weakness
- agent/references
- agent/description
- agent/softwarecombine
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/nxp
- canonical/nxp mcuxpresso software development kit
- vendor/multiple
- canonical/multiple amazon freertos, version 10.4.1
- canonical/multiple apache nuttx os, version 9.1.0
- canonical/multiple arm cmsis-rtos2, versions prior to 2.1.3
- canonical/multiple arm mbed os, version 6.3.0
- canonical/multiple arm mbed-ualloc, version 1.3.0
- canonical/multiple blackberry qnx sdp versions 6.5.0 sp1 and earlier
- canonical/multiple blackberry qnx os for safety versions 1.0.1 and earlier safety products compliant with iec 61508 and/or iso 26262
- canonical/multiple blackberry qnx os for medical versions 1.1 and earlier safety products compliant with iec 62304 a full list of affected qnx products and versions is available here
- canonical/multiple a full list of affected qnx products and versions is available here
- canonical/multiple cesanta software mongoose os, v2.17.0
- canonical/multiple ecoscentric ecospro rtos, versions 2.0.1 through 4.5.3
- canonical/multiple google cloud iot device sdk, version 1.0.2
- canonical/multiple media tek linkit sdk, versions prior to 4.6.1
- canonical/multiple micrium os, versions 5.10.1 and prior
- canonical/multiple micrium uc/os: uc/lib versions 1.38.xx, version 1.39.00
- canonical/multiple nxp mcuxpresso sdk, versions prior to 2.8.2
- canonical/multiple nxp mqx, versions 5.1 and prior
- canonical/multiple redhat newlib, versions prior to 4.0.0
- canonical/multiple riot os, version 2020.01.1
- canonical/multiple samsung tizen rt rtos, versions prior 3.0.gbb
- canonical/multiple tencentos-tiny, version 3.1.0
- canonical/multiple texas instruments cc32xx, versions prior to 4.40.00.07
- canonical/multiple texas instruments simplelink msp432e4xx
- canonical/multiple texas instruments simplelink-cc13xx, versions prior to 4.40.00
- canonical/multiple texas instruments simplelink-cc26xx, versions prior to 4.40.00
- canonical/multiple texas instruments simplelink-cc32xx, versions prior to 4.10.03
- canonical/multiple uclibc-ng, versions prior to 1.0.36
- canonical/multiple windriver vxworks, prior to 7.0
- canonical/multiple zephyr project rtos, versions prior to 2.5