Vulnerability DatabaseCVE-2021-32843

CVE-2021-32843:
Homebrew vulnerability analysis and mitigation

Overview

HyperKit, a toolkit for embedding hypervisor capabilities in applications, was found to contain a vulnerability in versions 0.20210107 and prior. The vulnerability (CVE-2021-32843) involves a null pointer dereference in the vc_cfgread function pointer within virtio.c, which could be triggered by a malicious guest operating system (GitHub Security Lab).

Technical details

The vulnerability exists in the vi_pci_read function where there is a call to vc_cfgread that does not check for null. The function pointer vc_cfgread is used to read the virtio configuration of a device, which is an operation that the guest performs to initialize the virtio drivers. Not every device implements all available operations, and one such device is vtrnd which is used to supply randomness to the guest. The vulnerability occurs when this unchecked null pointer is dereferenced (GitHub Security Lab).

Impact

When exploited, this vulnerability allows a malicious guest to trigger a crash of the host system, resulting in a denial of service condition. The crash occurs due to the null pointer dereference when attempting to access the unimplemented function (GitHub Security Lab).

Mitigation and workarounds

The issue has been fixed by adding a null check before calling the vc_cfgread function pointer, similar to what is implemented in bhyve. The fix was merged into the main repository through pull request #313 (GitHub PR).

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22861	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 13, 2026
CVE-2026-22776	HIGH	8.7	Homebrew	cpp-httplib	No	Yes	Jan 12, 2026
CVE-2026-22783	HIGH	8.1	NixOS	iris	No	Yes	Jan 12, 2026
CVE-2026-21283	HIGH	7.8	Adobe Bridge	bridge	No	Yes	Jan 13, 2026
CVE-2026-22784	LOW	2.3	NixOS	lychee	No	Yes	Jan 12, 2026