{"id":"CVE-2021-22547","details":"In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.","modified":"2026-04-11T13:53:50.075676Z","published":"2021-05-04T13:15:07.427Z","references":[{"type":"ADVISORY","url":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md"},{"type":"FIX","url":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c","events":[{"introduced":"0"},{"fixed":"041656933586e43cc24388a54781730df55ad567"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.3"}]}}],"versions":["v0.7.0","v1.0.0","v1.0.1","v1.0.2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567","id":"CVE-2021-22547-31b8d899","digest":{"function_hash":"81785243033371308374503153215231695397","length":165},"deprecated":false,"target":{"file":"src/bsp/platform/posix/iotc_bsp_io_fs_posix.c","function":"iotc_bsp_io_fs_posix_file_list_cnd"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567","id":"CVE-2021-22547-874992c4","digest":{"line_hashes":["154520739660189784901966324150758638933","73779243641174834581237016007137610446","332280061345850075723924269273142684964","23178749078016402609857265411199487098","106734765140754118371115303880259937921","157378817599033597257474335005899545949","91302717702408768029480654618892259803","237802977672296311890087986890013576434","297559001312339072529567236628134153856","228804596456885972394762114957055457281","46042615775042973353065746876242525988","88428684234551885819554274655906803443","242014315865988174451165653086508710578","70290611407254847305754130648101002343","311994129233977358944167620534827867036","75642438441162282818715867655022797872","85376420511074102028878630890651402433","329770365037688330305954418172350701236","94831048845955362766972986112639669163","135258534094935864412912144788733055955","290902559063257559347795521844359594116","63334026321291143773962622388952437237","314337525011903658388019391116883003426","241452838143252883186949712055667861062","332408072144918446484233952960141246348","22709596164186350394636582698431471302","305499280918541599809956146878448618225","75683643666643013779052745409325338881","6625582910777098001235839683297809587","116574443653615237781893163561997087521","303516927088387121028371787603923307849","16123746244691189924587426833252017464","147897860568757534659374081872112837642","8843517423325356088080231983245434598","85248476133574186698897706923802662817","308046593632638019939742041239483657793","9263454890163760079354273317049955333","70819309493723136236345627643723446439","51164847599284191885885062630413639915","286371897568724442639898995224492030145","250567565249709496221163207054119116201","222318312243355462968457794031306229917","226519186825686807340162649562179886582","107700905158585460833568366276399287882","45702605885793645418694886424159826139","250879350739468555906060520571909077747","279497880989033044598931373299732771540","271332423570115634494935068331584663387","334129320211840373534797435059318544521","71773132323011492865338065791097292950","21486485623298308870377198672587852745","70016109924917589905227741377867047360","85248476133574186698897706923802662817","25464170109051115981488598530160260674","131431521367589128218740107510730660987","301883733090948997950782892304877968010","286371897568724442639898995224492030145","250567565249709496221163207054119116201","222318312243355462968457794031306229917","91871450513783540471962003519681145159","74533233234458292107996033983798791293","67091906501119797987231072402649505155","127082854245403631455401002088397857670","233311044236495511514506116053573101520","109904400905578488642805679279232196860","3544272240882948774579415889800835798","175117090635937339776074822795079269463","339952933996038635524053390006252800278","157442388487921027478860778599584146397","111732379760599121986430093099052163616","85248476133574186698897706923802662817","25464170109051115981488598530160260674","123065547557772955286565704251106018136","13517302206781727573400364541423848655","46361560389920327522461778428177591076","160036893375612424274010059246114347372","250567565249709496221163207054119116201","222318312243355462968457794031306229917","276606002238836281268235344059077670773","124754059596687926711914027693153909453","283426535801324251717992561001525334489","958771317813386280284592312825740522","256888034547999906267126619734756571552"],"threshold":0.9},"deprecated":false,"target":{"file":"src/bsp/platform/posix/iotc_bsp_io_fs_posix.c"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/commit/041656933586e43cc24388a54781730df55ad567","id":"CVE-2021-22547-8ee74583","digest":{"function_hash":"68907939495310070813791418474976135519","length":768},"deprecated":false,"target":{"file":"src/bsp/platform/posix/iotc_bsp_io_fs_posix.c","function":"iotc_bsp_io_fs_close"},"signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22547.json","vanir_signatures_modified":"2026-04-11T13:53:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}