CVE-2021-21772Use After Free in Lib3mf

CWE-416Use After Free7 documents6 sources
Severity
8.1HIGHNVD
EPSS
1.7%
top 17.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
3MF Lib3mfDebian Lib3mfDebian Linux+1 more
Timeline
PublishedMar 10
Latest updateJul 11

Description

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

debiandebian/lib3mf< lib3mf 1.8.1+ds-4 (bookworm)
Debian3mf/lib3mf< 1.8.1+ds-4+3
NVD3mf/lib3mf2.0.0

Also affects: Debian Linux 10.0, Fedora 32, 33, 34

🔴Vulnerability Details

2
GHSA
GHSA-6f4r-f2fv-g8f4: A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 22022-05-24
OSV
CVE-2021-21772: A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 22021-03-10

📋Vendor Advisories

2
Ubuntu
lib3mf vulnerability2023-07-11
Debian
CVE-2021-21772: lib3mf - A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP(...2021

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf2021-03-10
Talos
Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf2021-03-10
CVE-2021-21772 — Use After Free in Debian Lib3mf | cvebase