CVE-2024-21502: 
Python vulnerability analysis and mitigation

CVE-2024-21502 affects versions of the fastecdsa package before 2.3.2. The vulnerability was discovered in February 2024 and involves a Use of Uninitialized Variable on the stack in the curvemath_mul function within src/curveMath.c. The vulnerability affects the fastecdsa Python package, which is designed for performing fast elliptic curve cryptography, specifically digital signatures (Snyk Advisory).

The vulnerability stems from an uninitialized variable on the stack in the curvemathmul function. The variable is used and interpreted as a user-defined type, leading to undefined behavior. The issue occurs when the variable is passed to functions pointZZpMul and mpz_clears, where the latter calls free() internally. The vulnerability is triggered when a point multiplication operation is performed with specific parameters, particularly when using a curve with b=0 and point (0,0) (GitHub PoC).

Depending on the variable's actual value, the vulnerability could lead to arbitrary free(), arbitrary realloc(), null pointer dereference, and other memory-related issues. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, potentially leading to heap exploitation. The primary impact is denial of service, but there are also risks of sensitive information leakage and potential remote code execution (Snyk Advisory).

The vulnerability has been fixed in version 2.3.2 of the fastecdsa package. The fix involves properly initializing the variable by adding 'mpz_inits(result.x, result.y, NULL)' to the affected code. Users are strongly recommended to upgrade to version 2.3.2 or later to address this security issue (GitHub Commit).