Login Sign Up

CVE-2021-44078

8.1 HIGH

📋 TL;DR

This vulnerability in Unicorn Engine allows attackers to escape sandbox restrictions and execute arbitrary code on the host system. It affects systems using Unicorn Engine for emulation or sandboxing before version 2.0.0-rc5. Attackers need initial code execution within the sandbox to exploit this flaw.

💻 Affected Systems

Products:
  • Unicorn Engine
Versions: All versions before 2.0.0-rc5
Operating Systems: All platforms running Unicorn Engine
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using Unicorn Engine's memory mapping functionality with sandboxing features.

📦 What is this software?

Unicorn Engine by Unicorn Engine

View all CVEs affecting Unicorn Engine →

Unicorn Engine by Unicorn Engine

View all CVEs affecting Unicorn Engine →

Unicorn Engine by Unicorn Engine

View all CVEs affecting Unicorn Engine →

Unicorn Engine by Unicorn Engine

View all CVEs affecting Unicorn Engine →

Unicorn Engine by Unicorn Engine

View all CVEs affecting Unicorn Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox escape leading to full host system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited sandbox escape allowing execution of unauthorized code on the host, potentially leading to privilege escalation.

🟢

If Mitigated

Contained impact within the sandbox with no host system access if proper isolation controls are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires initial code execution within the sandbox. Public proof-of-concept exists in CTF challenges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0-rc5 and later

Vendor Advisory: https://github.com/unicorn-engine/unicorn/commit/c733bbada356b0373fa8aa72c044574bb855fd24

Restart Required: Yes

Instructions:

1. Update Unicorn Engine to version 2.0.0-rc5 or later. 2. Recompile any applications using Unicorn Engine. 3. Restart affected services.

🔧 Temporary Workarounds

Disable memory remapping

all

Prevent use of uc_mem_map_ptr functionality that triggers the vulnerability

Modify application code to avoid split_region operations

🧯 If You Can't Patch

  • Isolate Unicorn Engine instances in separate containers with minimal privileges
  • Implement strict monitoring for unusual memory access patterns in sandboxed processes

🔍 How to Verify

Check if Vulnerable:

Check Unicorn Engine version: if <2.0.0-rc5, system is vulnerable

Check Version:

unicorn --version or check library version in application

Verify Fix Applied:

Verify version is 2.0.0-rc5 or later and test sandbox isolation

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory mapping operations
  • Sandbox process attempting host system calls

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Process where parent_process contains 'unicorn' AND (event_type='Process Creation' OR event_type='Memory Access Violation')

📊 Metadata

CVE ID: CVE-2021-44078
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-697
Published: December 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44078, you might also want to check these:

CVE-2021-35973 9.8

This vulnerability allows unauthenticated attackers to bypass authentication on NETGEAR WAC104 wirel...

Same vulnerability type (CWE-697)
CVE-2024-24621 9.8

Softaculous Webuzo contains an authentication bypass vulnerability in its password reset functionali...

Same vulnerability type (CWE-697)
CVE-2023-32571 9.8

CVE-2023-32571 is a remote code execution vulnerability in Dynamic LINQ libraries where untrusted in...

Same vulnerability type (CWE-697)