CVE-2022-0545 — Integer Overflow or Wraparound in Blender

CWE-190 — Integer Overflow or Wraparound CWE-123 — Write-what-where Condition6 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.4%

top 38.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Blender Debian Blender Debian Linux

Timeline

PublishedFeb 24

Latest updateFeb 25

Description

An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/blender< blender 3.1.2+dfsg-1 (bookworm)

▶NVDblender/blender2.90.0 — 2.93.8+2

▶Debianblender/blender< 2.83.5+dfsg-5+deb11u1+2

▶CVEListV5blender/blenderBlender versions prior to 2.83.19, 2.93.8 and 3.1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: developer.blender.org ↗Patch: developer.blender.org ↗

🔴Vulnerability Details

GHSA

GHSA-vwmp-5fxw-2gwj: An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing↗2022-02-25

▶

OSV

CVE-2022-0545: An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing↗2022-02-24

▶

📋Vendor Advisories

Debian

CVE-2022-0545: blender - An integer overflow in the processing of loaded 2D images leads to a write-what-...↗2022

▶

📐Framework References

CWE

Integer Overflow or Wraparound↗

▶

CWE

Write-what-where Condition↗

▶