CVE-2021-42715 — Infinite Loop in STB Image.h

CWE-835 — Infinite Loop6 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 62.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nothings STB Image.h Debian Linux Fedoraproject Fedora

Timeline

PublishedOct 21

Latest updateMay 24

Description

An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDnothings/stb_image.h1.33 — 2.27

Also affects: Debian Linux 10.0, Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-x76g-p4rm-4xch: An issue was discovered in stb stb_image↗2022-05-24

▶

OSV

CVE-2021-42715: An issue was discovered in stb stb_image↗2021-10-21

▶

CVEList

CVE-2021-42715: An issue was discovered in stb stb_image↗2021-10-21

▶

📋Vendor Advisories

Red Hat

stb: DoS in stb_image HDR loader via a crafted file↗2021-10-07

▶

Debian

CVE-2021-42715: libstb - An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader par...↗2021

▶