CVE-2021-41253

Name of the Vulnerable Software and Affected Versions Zydis versions v3.2.0 and older

Description Zydis is an x86/x86-64 disassembler library. Users that use the string functions provided in zycore to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like ZyanStringAppend to make incorrect calculations for the new target size, resulting in heap memory corruption. This does not affect the regular uncustomized Zydis formatter, because Zydis internally doesn't use the string functions in zycore that act upon these fields.

Recommendations For versions v3.2.0 and older, update to version 3.2.1 or later to patch the bug. As a temporary workaround, users may refrain from using zycore string functions in their formatter hooks until updating to a patched version.