Vulnerability Details : CVE-2021-42521
Potential exploit
There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may crash the application.
Vulnerability category: Memory Corruption
Products affected by CVE-2021-42521
- cpe:2.3:a:vtk:vtk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-42521
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-42521
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-42521
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: patrick@puiterwijk.org (Secondary)
-
The product dereferences a pointer that it expects to be valid but is NULL.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-42521
-
https://gitlab.kitware.com/vtk/vtk/issues/17818
Potential NULL pointer dereference : forgetting to check the return value of libxml2 API xmlDocGetRootElement (#17818) · Issues · VTK / VTK · GitLabExploit;Issue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCTMSAAVP4BW2HTZLDWMGKZ2WEC5OFLK/
[SECURITY] Fedora 37 Update: vtk-9.1.0-18.fc37 - package-announce - Fedora Mailing-Lists
-
https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549
VTK 9.2.5 is out - Announcements - VTK
Jump to