CVE-2024-21502
HIGHfastecdsa < 2.3.2 - Use of Uninitialized Variable in curvemath_mul
Title source: llmDescription
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
References (4)
Core 4
Core References
Exploit, Third Party Advisory
https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045
Scores
CVSS v3
7.5
EPSS
0.0103
EPSS Percentile
58.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-457
CWE-908
Status
published
Products (2)
antonkueltz/fastecdsa
< 2.3.2
pypi/fastecdsa
0 - 2.3.2PyPI
Published
Feb 24, 2024
Tracked Since
Feb 18, 2026