CVE-2024-21502 Overview
CVE-2024-21502 affects versions of the Python fastecdsa package prior to 2.3.2. The vulnerability stems from use of an uninitialized stack variable in the curvemath_mul function within src/curveMath.c. The uninitialized memory is interpreted as a user-defined type, which can lead to arbitrary free(), arbitrary realloc(), null pointer dereference, and related memory corruption conditions. Because attackers can influence the stack contents, the flaw can corrupt allocator structures and create conditions for heap exploitation or denial of service. The package author addressed the issue in commit 57fc5689c95d649dab7ef60cc99ac64589f01e36.
Critical Impact
Network-reachable callers of fastecdsa can trigger memory corruption or denial of service through manipulated inputs that exercise the vulnerable elliptic curve multiplication path.
Affected Products
- antonkueltz fastecdsa versions prior to 2.3.2
- Python applications depending on vulnerable fastecdsa releases
- Downstream packages bundling fastecdsa for ECDSA cryptographic operations
Discovery Timeline
- 2024-02-24 - CVE-2024-21502 published to the National Vulnerability Database (NVD)
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2024-21502
Vulnerability Analysis
The vulnerability resides in the curvemath_mul function in src/curveMath.c, which implements scalar multiplication on elliptic curves. The function declares a PointZZ_p result structure on the stack but does not initialize its internal mpz_t members before they are used. The GMP library expects mpz_t variables to be initialized via mpz_init before any operation that reads or writes them.
When the uninitialized structure is passed to downstream GMP routines, the library interprets stack residue as valid mpz_t metadata, including allocator pointers and size fields. Operations such as mpz_set, mpz_realloc, and the eventual mpz_clear then operate on attacker-influenced values. This maps to CWE-457 (Use of Uninitialized Variable) and CWE-908 (Use of Uninitialized Resource).
Root Cause
The root cause is the omission of mpz_inits(result.x, result.y, NULL) prior to use of the result structure. Stack contents from previous frames populate the structure, and GMP treats those bytes as live limb pointers and length fields. Depending on the residual values, this produces arbitrary free(), arbitrary realloc(), or null pointer dereference behavior inside the allocator.
Attack Vector
An attacker who controls scalar or curve parameters supplied to fastecdsa operations can influence the stack state leading into curvemath_mul. Applications that accept untrusted ECDSA signatures, public keys, or curve parameters over the network expose this code path. Successful exploitation corrupts heap allocator metadata and can be chained toward heap exploitation, while the minimum observable impact is process crash and denial of service.
}
PointZZ_p result;
+ mpz_inits(result.x, result.y, NULL);
mpz_t scalar;
mpz_init_set_str(scalar, d, 10);
CurveZZ_p * curve = buildCurveZZ_p(p, a, b, q, gx, gy, 10);;
Source: GitHub patch commit 57fc5689. The patch adds the missing mpz_inits call so the result structure holds valid GMP state before use.
Detection Methods for CVE-2024-21502
Indicators of Compromise
- Repeated segmentation faults or SIGABRT events in Python processes loading fastecdsa extensions
- Glibc allocator diagnostics such as free(): invalid pointer or malloc_consolidate(): invalid chunk size emitted by applications using fastecdsa
- Anomalous core dumps with stack traces referencing curvemath_mul or _curveMath.so
Detection Strategies
- Inventory Python environments and identify installations of fastecdsa below version 2.3.2 using pip list or software composition analysis tooling
- Scan source repositories and lockfiles (requirements.txt, Pipfile.lock, poetry.lock) for pinned vulnerable versions
- Review code that passes externally controlled scalars or curve parameters into fastecdsa APIs such as curve.G * k
Monitoring Recommendations
- Forward process crash telemetry and glibc allocator errors from production hosts to a centralized logging platform for correlation
- Track outbound calls to package indexes to detect installations of unpatched fastecdsa versions
- Alert on repeated unhandled exceptions originating from ECDSA verification paths in application logs
How to Mitigate CVE-2024-21502
Immediate Actions Required
- Upgrade fastecdsa to version 2.3.2 or later in all Python environments and container images
- Rebuild and redeploy applications that statically bundle the vulnerable C extension
- Audit application entry points that accept untrusted ECDSA signatures, keys, or curve parameters and add input validation
Patch Information
The fix is delivered in commit 57fc5689c95d649dab7ef60cc99ac64589f01e36 and shipped in fastecdsa 2.3.2. The patch initializes the resultPointZZ_p structure via mpz_inits(result.x, result.y, NULL) before any GMP operation touches its members. Refer to the upstream commit and the Snyk advisory for additional context.
Workarounds
- Replace fastecdsa with an alternative ECDSA implementation such as cryptography or ecdsa until upgrades can be applied
- Reject untrusted scalar or curve parameters at the application layer before they reach fastecdsa APIs
- Run affected services under process supervisors that restart on crash and isolate them with seccomp or container sandboxing to limit blast radius
# Upgrade fastecdsa to the patched release
pip install --upgrade 'fastecdsa>=2.3.2'
# Verify installed version
python -c "import fastecdsa, importlib.metadata as m; print(m.version('fastecdsa'))"
# Pin the minimum safe version in requirements.txt
echo 'fastecdsa>=2.3.2' >> requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
