CVE-2021-42521

CVSS v4.0

8.7

High

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions VTK versions prior to 9.2.5

Description The issue is a NULL pointer dereference vulnerability that lies in IO/Infovis/vtkXMLTreeReader.cxx. It occurs because the vendor did not check the return value of the libxml2 API xmlDocGetRootElement and attempted to dereference it. This is unsafe as the return value can be NULL, potentially causing the application to crash.

Recommendations For versions prior to 9.2.5, update to version 9.2.5 or later to resolve the issue. As a temporary workaround, consider adding checks for the return value of the xmlDocGetRootElement function to prevent NULL pointer dereferences.

Exploit

Fix

NULL Pointer Dereference

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476CWE-400

Related Identifiers

BDU:2025-03971

CVE-2021-42521

GHSA-XFHG-9PJG-XG7G

PYSEC-2022-255

Affected Products

Astra Linux

Debian

Vtk

Libxml2

CVE-2021-42521

Weakness Enumeration

Related Identifiers

Affected Products

References · 32