CVE-2021-33646 — Missing Release of Memory after Effective Lifetime in Libtar

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-416 — Use After Free9 documents7 sources

Severity

7.5HIGHNVD

OSV9.1

EPSS

0.2%

top 53.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Feep Libtar Debian Libtar Fedoraproject Fedora +10 more

Timeline

PublishedAug 10

Latest updateMar 31

Description

The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages15 packages

▶NVDfeep/libtar< 1.2.21

▶debiandebian/libtar< libtar 1.2.20-8+deb12u1 (bookworm)

▶Debianfeep/libtar< 1.2.20-8+deb12u1~deb11u1+1

▶Ubuntufeep/libtar< 1.2.20-8ubuntu0.20.04.1+4

▶CVEListV5feep/libtar<1.2.21

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

OSV

libtar vulnerabilities↗2025-03-31

▶

GHSA

GHSA-x27v-rjqh-f4xc: The th_read() function doesn’t free a variable t->th_buf↗2022-08-11

▶

OSV

CVE-2021-33646: The th_read() function doesn’t free a variable t->th_buf↗2022-08-10

▶

📋Vendor Advisories

Ubuntu

libtar vulnerabilities↗2025-03-31

▶

Red Hat

libtar: fixes for CVE-2021-33645 and CVE-2021-33646 introduced new use-after-free bugs in libtar↗2022-12-09

▶

Red Hat

libtar: memory leak found in th_read() function↗2022-08-10

▶

Microsoft

The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory which may cause a memory leak.↗2022-08-09

▶

Debian

CVE-2021-33646: libtar - The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allo...↗2021

▶