Cyber Resilience

CVE-2021-26706

Critical

Published: 24 January 2022

Published
24 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0076 73.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26706 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Micrium Uc\/Lib. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x and 1.39.00. The following memory allocation functions do not check for integer overflow when allocating a pool whose size exceeds the address space: Mem_PoolCreate, Mem_DynPoolCreate, and Mem_DynPoolCreateHW. Because these…

more

functions use multiplication to calculate the pool sizes, the operation may cause an integer overflow if the arguments are large enough. The resulting memory pool will be smaller than expected and may be exploited by an attacker.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

micrium
uc\/lib
1.38.00, 1.38.01, 1.38.02, 1.38.03, 1.38.04

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References