Login Sign Up

CVE-2021-46878

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-46878 is a type confusion vulnerability in Fluent Bit's msgpack parsing that leads to use-after-free conditions. Attackers can craft malicious files that, when processed by vulnerable Fluent Bit instances, could allow arbitrary code execution. This affects systems using Fluent Bit for log processing and data collection.

💻 Affected Systems

Products:
  • Treasure Data Fluent Bit
Versions: 1.7.1 specifically, potentially other versions with similar code
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Any configuration that processes msgpack data from untrusted sources is vulnerable.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Fluent Bit process, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through process crashes, with potential for limited code execution in targeted attacks.

🟢

If Mitigated

Process crashes without code execution if exploit attempts are blocked or fail.

🌐 Internet-Facing: MEDIUM - Fluent Bit is often deployed internally but can be internet-facing in cloud logging scenarios.
🏢 Internal Only: HIGH - Many organizations use Fluent Bit internally for log aggregation across their infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires the attacker to supply specially crafted msgpack data to the vulnerable parser.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in versions after 1.7.1, specifically in commit referenced in PR #3115

Vendor Advisory: https://github.com/fluent/fluent-bit/security/advisories

Restart Required: Yes

Instructions:

1. Update Fluent Bit to version 1.7.2 or later. 2. Restart all Fluent Bit services. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all msgpack input from untrusted sources before processing.

Network Segmentation

all

Restrict network access to Fluent Bit instances to trusted sources only.

🧯 If You Can't Patch

  • Implement strict input validation for all msgpack data sources
  • Deploy Fluent Bit in isolated containers with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check Fluent Bit version: fluent-bit --version. If version is 1.7.1 or potentially earlier, you may be vulnerable.

Check Version:

fluent-bit --version

Verify Fix Applied:

Verify version is 1.7.2 or later and check that the fix commit from PR #3115 is included.

📡 Detection & Monitoring

Log Indicators:

  • Fluent Bit process crashes
  • Memory access violation errors in logs
  • Unexpected parsing errors

Network Indicators:

  • Unusual network connections to Fluent Bit ports
  • Large or malformed msgpack payloads

SIEM Query:

source="fluent-bit" AND (error OR crash OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2021-46878
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: April 11, 2023
Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46878, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)