CVE-2024-21502

Name of the Vulnerable Software and Affected Versions fastecdsa versions prior to 2.3.2

Description The issue is related to the use of an uninitialized variable on the stack, specifically via the curvemath mul function in src/curveMath.c. This variable is used and interpreted as a user-defined type, which could lead to arbitrary free(), arbitrary realloc(), null pointer dereference, and other issues, depending on the variable's actual value. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt the allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

Recommendations For versions prior to 2.3.2, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the curvemath mul function in src/curveMath.c to minimize the risk of exploitation. Avoid using the affected function until the issue is resolved.