#VU51441 Use-after-free in GnuTLS - CVE-2021-20231
Published: March 14, 2021
Vulnerability identifier: #VU51441
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-20231
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GnuTLS
GnuTLS
Software vendor:
GnuTLS
GnuTLS
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in client sending key_share extension. A remote attacker can trick the victim to connect to a malicious server using a large Client Hello message over TLS 1.3, trigger a use-after-free error and crash the application or execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install updates from vendor's website.