CVE-2024-21502 – CVE-2024-21502 is a use of uninitialized variab... (How to Fix)

📋 TL;DR

CVE-2024-21502 is a use of uninitialized variable vulnerability in fastecdsa's curvemath_mul function that allows attackers to control stack memory. This can lead to arbitrary free/realloc operations, null pointer dereferences, and heap corruption, potentially enabling denial of service or code execution. Users of fastecdsa versions before 2.3.2 are affected.

💻 Affected Systems

Products:

fastecdsa

Versions: All versions before 2.3.2

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using fastecdsa for elliptic curve cryptography operations is vulnerable.

📦 What is this software?

Fastecdsa by Antonkueltz

View all CVEs affecting Fastecdsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through heap exploitation leading to complete system compromise.

🟠

Likely Case

Denial of service through application crashes or memory corruption.

🟢

If Mitigated

Limited impact if proper memory protections and exploit mitigations are enabled.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available in GitHub gist; exploitation requires triggering the vulnerable curvemath_mul function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2

Vendor Advisory: https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36

Restart Required: No

Instructions:

1. Update fastecdsa package using pip: pip install --upgrade fastecdsa==2.3.2
2. Verify installation with: pip show fastecdsa
3. Restart any services using fastecdsa.

🔧 Temporary Workarounds

Disable vulnerable functionality

all

Avoid using curvemath_mul function or disable affected cryptographic operations.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all inputs to fastecdsa functions.
Deploy memory protection mechanisms like ASLR and stack canaries to reduce exploit success.

🔍 How to Verify

Check if Vulnerable:

Check installed fastecdsa version: pip show fastecdsa | grep Version

Check Version:

pip show fastecdsa | grep Version

Verify Fix Applied:

Confirm version is 2.3.2 or higher: pip show fastecdsa | grep Version

📡 Detection & Monitoring

Log Indicators:

Application crashes, segmentation faults, abnormal memory usage patterns

Network Indicators:

Unusual requests to services using fastecdsa, especially with crafted cryptographic inputs

SIEM Query:

Process monitoring for fastecdsa-related crashes or memory corruption events.

📊 Metadata

CVE ID: CVE-2024-21502

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-457

Published: February 24, 2024

Last Updated: February 12, 2025

🔗 References

https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26 Exploit,Third Party Advisory
https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210 Broken Link
https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36 Patch
https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045 Exploit,Third Party Advisory
https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26 Exploit,Third Party Advisory
https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210 Broken Link
https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36 Patch
https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21502, you might also want to check these: