CVE-2021-36088: 
Fluent Bit vulnerability analysis and mitigation

Fluent Bit (also known as fluent-bit) versions 1.7.0 through 1.7.4 were affected by a double-free vulnerability in the flbfree function, which is called from flbparserjsondo and flbparserdo functions (CVE Details). The vulnerability was discovered and disclosed on July 1, 2021.

The vulnerability is a heap-double-free issue that occurs in the flbfree function when it's called through the parsing chain flbparserjsondo and flbparserdo. The bug was identified through OSS-Fuzz testing and was assigned a HIGH severity rating (OSS Fuzz Report). The issue was introduced in commit 68746b76af8b143daf477033a6799902be2f3cad and was subsequently fixed in commits 22346a74c07ceb90296be872be2d53eb92252a54 and 9b4d9ee0f9d42383bad593b05b95f25e8b294c71.

A double-free vulnerability can lead to memory corruption, which could potentially result in program crashes, denial of service conditions, or in some cases, arbitrary code execution. This vulnerability affects all Fluent Bit installations running versions 1.7.0 through 1.7.4 (OSS Fuzz Report).

The vulnerability was fixed in a patch that adds proper NULL pointer handling and prevents the double-free condition. Users should upgrade to a version of Fluent Bit that contains the fix. The fix involves setting mpbuf to NULL after freeing it and ensuring proper cleanup of tmpout_buf (GitHub Commit).