← back
CVE-2021-22570

Nullptr Dereference in Protobuf

CVSS 6.5 MEDIUMEPSS 2.7%CWE-476
In short

A null character in a Protocol Buffer symbol causes the system to crash because it tries to use a file pointer that doesn't exist. This can cause the application to stop working unexpectedly.

Technical detail

A null byte embedded in a proto symbol causes incorrect parsing, resulting in a nullptr dereference during error message generation when accessing the proto file object. The vulnerability requires crafting a malformed .proto file with embedded null characters; exploitation leads to denial of service via application crash.

Summary generated and translated by AI from the official description.
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
Google LLC · Protobuf

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0https://lists.debian.org/debian-lts-announce/2023/04/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP/https://security.netapp.com/advisory/ntap-20220429-0005/https://www.oracle.com/security-alerts/cpuapr2022.html