#VU62729 Out-of-bounds write in Simple DirectMedia Layer - CVE-2021-33657


Vulnerability identifier: #VU62729

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-33657

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Simple DirectMedia Layer
Client/Desktop applications / Multimedia software

Vendor: zlib license

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing .BMP files in video/SDL_pixels.c. A remote attacker can create a specially crafted BMP file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Simple DirectMedia Layer: 2.0.0 - 2.0.20

External links
https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for libsdl2
Gentoo update for libsdl
Multiple vulnerabilities in Oracle Solaris third-party software
Slackware Linux update for sdl
Ubuntu update for libsdl1.2
Remote code execution in Simple DirectMedia Layer
SUSE update for SDL2
SUSE update for SDL
SUSE update for SDL
SUSE update for SDL2