CVE-2021-3933Integer Overflow or Wraparound in Openexr

CWE-190Integer Overflow or Wraparound8 documents6 sources
Severity
5.5MEDIUMNVD
OSV5.3
EPSS
0.5%
top 32.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
OpenexrDebian OpenexrDebian Linux+1 more
Timeline
PublishedMar 25
Latest updateSep 20

Description

An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/openexr< openexr 3.1.5-2 (bookworm)
NVDopenexr/openexr< 3.1.2
Debianopenexr/openexr< 2.5.4-2+deb11u1+3
Ubuntuopenexr/openexr< 2.3.0-6ubuntu0.5+esm1+1
CVEListV5openexr/openexrOpenEXR 3.1.2

Also affects: Debian Linux 10.0, 11.0, Fedora 36

🔴Vulnerability Details

3
OSV
openexr vulnerabilities2022-09-20
GHSA
GHSA-jmmx-24xf-r6qm: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits2022-03-26
OSV
CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits2022-03-25

📋Vendor Advisories

4
Ubuntu
OpenEXR vulnerabilities2022-09-20
Ubuntu
OpenEXR vulnerability2021-11-11
Red Hat
openexr: Integer-overflow in Imf_3_1::bytesPerDeepLineTable2021-09-18
Debian
CVE-2021-3933: openexr - An integer overflow could occur when OpenEXR processes a crafted file on systems...2021