CVE-2009-1721 — Access of Uninitialized Pointer in Openexr

CWE-824 — Access of Uninitialized Pointer8 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

25.3%

top 3.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openexr Apple MAC OS X Debian Openexr +4 more

Timeline

PublishedJul 31

Latest updateMay 2

Description

The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/openexr< openexr 1.6.1-4.1 (bookworm)

▶Debianopenexr/openexr< 1.6.1-4.1+3

▶NVDopenexr/openexr1.2.2, 1.6.1+1

▶NVDapple/mac_os_x< 10.5.8

▶NVDopensuse/opensuse10.0, 10.3, 11.0+2

Also affects: Debian Linux 4.0, 5.0, Fedora 10, 11, Ubuntu Linux 8.04, 8.10, 9.04

Patches

Patch: release.debian.org ↗Patch: security.debian.org ↗Patch: security.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-wrhp-5vcr-45pg: The decompression implementation in the Imf::hufUncompress function in OpenEXR 1↗2022-05-02

▶

OSV

CVE-2009-1721: The decompression implementation in the Imf::hufUncompress function in OpenEXR 1↗2009-07-31

▶

📋Vendor Advisories

Ubuntu

OpenEXR vulnerabilities↗2009-09-14

▶

Red Hat

OpenEXR: Invalid pointer free by image decompression↗2009-07-28

▶

Debian

CVE-2009-1721: openexr - The decompression implementation in the Imf::hufUncompress function in OpenEXR 1...↗2009

▶

📐Framework References

CWE

Access of Uninitialized Pointer↗

▶

💬Community

Bugzilla

CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression↗2009-07-27

▶