Heap-based buffer overflow in OpenJPEG - CVE-2021-3575
Published: August 23, 2023
Vulnerability identifier: #VU79881
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-3575
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenJPEG
OpenJPEG
Software vendor:
openjpeg.org
openjpeg.org
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the sycc420_to_rgb() function in color.c. A remote attacker can pass specially crafted image data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.
External links
- https://bugzilla.redhat.com/show_bug.cgi?id=1957616
- https://github.com/uclouvain/openjpeg/issues/1347
- https://ubuntu.com/security/CVE-2021-3575
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/