Use of Uninitialized Variable in DaVinci Resolve

#VU59327 Use of Uninitialized Variable in DaVinci Resolve

Published: 2022-01-10

Vulnerability identifier: #VU59327

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-40418

CWE-ID: CWE-457

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
DaVinci Resolve
Client/Desktop applications / Virtualization software

Vendor: Blackmagic Design

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to use of uninitialized memory while parsing a file that is submitted to the DPDecoder service as a job. A remote attacker can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

DaVinci Resolve: 17.3.1.0005

External links
http://talosintelligence.com/vulnerability_reports/TALOS-2021-1427

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Blackmagic Design DaVinci Resolve