CVE-2021-27435: ARM mbed Integer Overflow or Wraparound
First published: Tue May 03 2022(Updated: )
ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Arm Mbed OS | =6.3.0 | |
| Amazon FreeRTOS | ||
| Apache NuttX | ||
| ARM CMSIS-RTOS2 | ||
| Arm Mbed OS | ||
| Arm Mbed ualloc | ||
| QNX | ||
| BlackBerry QNX OS for Safety | ||
| BlackBerry QNX OS for Medical | ||
| QNX | ||
| Mongoose OS | ||
| eCosCentric eCosPro RTOS | ||
| Google Cloud IoT Device SDK | ||
| MediaTek LinkIt SDK | ||
| Micrium OS | ||
| Micrium uC/OS | ||
| NXP MCUXpresso SDK | ||
| NXP MQX | ||
| newlib | ||
| RIOT OS | ||
| Samsung Tizen RT | ||
| TencentOS-tiny | ||
| Texas Instruments SimpleLink CC32XX | ||
| Texas Instruments SimpleLink MSP432E4 SDK | ||
| Texas Instruments SimpleLink CC13X2 SDK | ||
| Texas Instruments SimpleLink CC26XX | ||
| Texas Instruments SimpleLink CC32XX | ||
| uClibc | ||
| Wind River VxWorks | ||
| Zephyr Project RTOS |
Remedy
ARM Mbed OS update available.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-27435.
What is the severity of CVE-2021-27435?
The severity of CVE-2021-27435 is critical (9.8).
What is affected by CVE-2021-27435?
ARM mbed product Version 6.3.0 is affected by CVE-2021-27435.
What is the impact of CVE-2021-27435?
CVE-2021-27435 can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
How can I fix CVE-2021-27435?
To fix CVE-2021-27435, update the ARM mbed product to a version that is not affected by this vulnerability.
- agent/weakness
- agent/type
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- vendor/arm
- canonical/arm mbed os
- version/arm mbed os/6.3.0
- vendor/multiple
- canonical/amazon freertos
- canonical/apache nuttx
- canonical/arm cmsis-rtos2
- canonical/arm mbed ualloc
- canonical/qnx
- canonical/blackberry qnx os for safety
- canonical/blackberry qnx os for medical
- canonical/mongoose os
- canonical/ecoscentric ecospro rtos
- canonical/google cloud iot device sdk
- canonical/mediatek linkit sdk
- canonical/micrium os
- canonical/micrium uc/os
- canonical/nxp mcuxpresso sdk
- canonical/nxp mqx
- canonical/newlib
- canonical/riot os
- canonical/samsung tizen rt
- canonical/tencentos-tiny
- canonical/texas instruments simplelink cc32xx
- canonical/texas instruments simplelink msp432e4 sdk
- canonical/texas instruments simplelink cc13x2 sdk
- canonical/texas instruments simplelink cc26xx
- canonical/uclibc
- canonical/wind river vxworks
- canonical/zephyr project rtos