CVE-2021-39228
6.5 MEDIUMTremor is an event processing system for unstructured data
Published: 2021-09-17 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-416, CWE-825
Affected products
| Vendor | Product |
|---|---|
| linuxfoundation | tremor |
Description
Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39228
- [Patch]https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e
- [Patch]https://github.com/tremor-rs/tremor-runtime/pull/1217
- [Other]https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6
- [Other]https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85
- [Patch]https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e
- [Patch]https://github.com/tremor-rs/tremor-runtime/pull/1217
- [Other]https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6
- [Other]https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85
Related CVEs
Same vendor
- CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
- CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
- CVE-2026-44374 — Backstage is an open framework for building developer portals (4.3 MEDIUM)
- CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
- CVE-2026-37531 — AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-... (9.8 CRITICAL)
Same CWE
- CVE-2026-10640 — Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated th... (4.2 MEDIUM)
- CVE-2026-10639 — In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to ne... (4.8 MEDIUM)
- CVE-2026-10638 — subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data() (5.9 MEDIUM)
- CVE-2026-10637 — subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully (5.9 MEDIUM)
- CVE-2026-10636 — In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_i... (3.7 LOW)