CVE-2021-44078 — Incorrect Comparison in Unicorn

CWE-697 — Incorrect Comparison3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 77.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Django-unicorn Unicorn Unicorn-engine Unicorn Engine

Timeline

PublishedDec 26

Latest updateDec 27

Description

An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5. It allows local attackers to escape the sandbox. An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability. The specific flaw exists within the virtual memory manager. The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block. An attacker can leverage this vulnerability to esc…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 1.4 | Impact: 6.0

Affected Packages2 packages

▶NVDunicorn-engine/unicorn_engine1.0.3+1

▶PyPIdjango-unicorn/unicorn< c733bbada356b0373fa8aa72c044574bb855fd24+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rmvm-v6m6-87vr: An issue was discovered in split_region in uc↗2021-12-27

▶

OSV

CVE-2021-44078: An issue was discovered in split_region in uc↗2021-12-26

▶