CVE-2021-46170 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-46170?

CVE-2021-46170 has a CVSS score of 7.5 (HIGH). This CVE describes a use-after-free vulnerability in JerryScript's lexer component that could allow memory corruption. Attackers could potentially execute arbitrary code or cause denial of service by exploiting this flaw. Systems running vulnerable versions of JerryScript or applications embedding it are affected.

📋 TL;DR

This CVE describes a use-after-free vulnerability in JerryScript's lexer component that could allow memory corruption. Attackers could potentially execute arbitrary code or cause denial of service by exploiting this flaw. Systems running vulnerable versions of JerryScript or applications embedding it are affected.

💻 Affected Systems

Products:

JerryScript JavaScript engine
IoT devices using JerryScript
Embedded systems with JerryScript

Versions: Versions up to commit a6ab5e9

Operating Systems: All platforms running JerryScript

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or device using JerryScript JavaScript engine is potentially vulnerable

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation

🟠

Likely Case

Application crash or denial of service, potentially leading to memory corruption that could be leveraged for further exploitation

🟢

If Mitigated

Contained application crash with no privilege escalation if proper sandboxing and memory protections are implemented

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious JavaScript that triggers the use-after-free condition

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit a6ab5e9

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/issues/4917

Restart Required: Yes

Instructions:

1. Update JerryScript to latest version from official repository 2. Rebuild any applications using JerryScript 3. Restart affected services or devices

🔧 Temporary Workarounds

Disable JavaScript execution

all

Temporarily disable JavaScript processing in affected systems if not essential

Memory protection hardening

linux

Enable ASLR and other memory protection mechanisms

sysctl -w kernel.randomize_va_space=2

🧯 If You Can't Patch

Isolate affected systems from untrusted networks
Implement strict input validation and sanitization for JavaScript processing

🔍 How to Verify

Check if Vulnerable:

Check JerryScript version/git commit hash against vulnerable commit a6ab5e9

Check Version:

jerry --version or check git commit hash in source

Verify Fix Applied:

Verify JerryScript version is newer than commit a6ab5e9

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual JavaScript payloads
Repeated connection attempts to JerryScript endpoints

SIEM Query:

process_name:"jerry" AND (event_type:crash OR memory_violation)

📊 Metadata

CVE ID: CVE-2021-46170

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jerryscript-project/jerryscript/issues/4917 Exploit,Issue Tracking,Third Party Advisory
https://github.com/jerryscript-project/jerryscript/issues/4917 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46170, you might also want to check these: