Showing results for 
Search instead for 
Did you mean: 

Newlib 3.3.0 vulnerability

Associate II


I have a project created with STM32CubeIDE that includes FreeRTOS.
A Black Duck vulnerability scan was made on this project and a single vulnerability (CVE-2021-3420) was detected.

This vulnerability describes a flaw in Newlib 3.3.0 (all versions before 4.0.0) which causes some newlib functions (mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc) to be unsafe with overflow conditions.

All the files that are tied to this vulnerability by the scan are files sourced from arm-none-eabi that the IDE toolchain (GNU Tools for STM32(11.3 rel1)) uses to build my project.

I am not sure how to fix this "vulnerability" in my project since I can't change how ARM implemented its build toolchain which STM32 is using.
I am hoping I can somehow validate that my project does not use these compromised functions.
From what I can tell, isn't this a problem for every user of arm-none-eabi-gcc?

Am I doing something wrong? Can I somehow reject this vulnerability or fix it?


ST Employee

Welcome @Pavel A. ,

Absolutely this is what I exactly asked the development team which managed either tools or libraries.