Skip to main content

Thrift CVE-2021-24028

CRITICAL
Release of Invalid Pointer or Reference (CWE-763)
2021-04-14 cve-assign@fb.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 14, 2021 - 00:15 nvd
CRITICAL 9.8

DescriptionNVD

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.

AnalysisAI

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-763. An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Affected products include: Facebook Thrift.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Thrift

View all
CVE-2026-41604 HIGH
8.2 Apr 28

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigge

CVE-2026-41602 HIGH
7.5 Apr 28

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash

CVE-2019-0210 HIGH
7.5 Oct 29

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when f

CVE-2019-0205 HIGH
7.5 Oct 29

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with

CVE-2019-3565 HIGH
7.5 May 06

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers o

CVE-2019-3564 HIGH
7.5 May 06

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high

CVE-2019-3559 HIGH
7.5 May 06

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated hi

CVE-2019-3558 HIGH
7.5 May 06

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated

CVE-2019-3552 HIGH
7.5 May 06

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown ty

CVE-2026-41603 HIGH
7.4 Apr 28

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle

CVE-2026-41605 HIGH
7.3 Apr 28

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthen

CVE-2026-43869 HIGH
7.3 May 05

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.2

Share

CVE-2021-24028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy