CVE-2021-42716 — Classic Buffer Overflow in STB Image.h

CWE-120 — Classic Buffer Overflow CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.3%

top 51.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Fedora Nothings STB Image.h

Timeline

PublishedOct 21

Latest updateMay 24

Description

An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages1 packages

▶NVDnothings/stb_image.h2.27

Also affects: Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-44mr-92xw-jfrv: An issue was discovered in stb stb_image↗2022-05-24

▶

CVEList

CVE-2021-42716: An issue was discovered in stb stb_image↗2021-10-21

▶

OSV

CVE-2021-42716: An issue was discovered in stb stb_image↗2021-10-21

▶

📋Vendor Advisories

Red Hat

stb: heap-based buffer overflow in stb_image PNM loader↗2021-07-14

▶

Debian

CVE-2021-42716: libstb - An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly inte...↗2021

▶