CVE-2021-3477

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: OpenEXR versions prior to 3.0.0-beta

Description: The issue is related to a flaw in OpenEXR's deep tile sample size calculations, which can lead to an integer overflow and subsequently an out-of-bounds read when a crafted file is processed. This flaw poses the greatest risk to application availability. An attacker could exploit this by submitting a specially crafted file to be processed by OpenEXR, potentially causing a denial of service or allowing the execution of arbitrary code.

Recommendations: For versions prior to 3.0.0-beta, update to version 3.0.0-beta or later to resolve the issue. As a temporary workaround, consider restricting the processing of specially crafted EXR files to minimize the risk of exploitation. Avoid using the DeepTiledInputFile::initialize() function until a patch is available.

Fix

Integer Overflow

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-125

Related Identifiers

ALT-PU-2021-1863

ALT-PU-2021-1864

ALT-PU-2021-1933

ALT-PU-2021-1934

AZL-44628

BDU:2021-01977

CVE-2021-3477

DLA-2701-1

DLA-3236-1

MGASA-2021-0326

OESA-2021-1167

OPENSUSE-SU-2021:0670-1

OPENSUSE-SU-2021_0670-1

ROSA-SA-2023-2248

SUSE-SU-2021:1489-1

SUSE-SU-2021:3843-1

SUSE-SU-2021_1489-1

SUSE-SU-2021_3843-1

USN-4900-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Openexr

Suse

Ubuntu

CVE-2021-3477

Weakness Enumeration

Related Identifiers

Affected Products

References · 69