CVE-2021-22547

Published: May 4, 2021Modified: Jun 17, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.

Affected (1)

Products: Google: Cloud Iot Device Sdk For Embedded C

1 product

Cloud Iot Device Sdk For Embedded C

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Cloud Iot Device Sdk For Embedded C	Before 1.0.3

Related CWEs

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (4)

https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md

Source: cve-coordination@google.com

Release NotesThird Party Advisory

https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119

Source: cve-coordination@google.com

PatchThird Party Advisory

https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.