CVE-2021-20299

openSUSE Security Advisory - openSUSE-SU-2021:2793-1

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.

Se ha encontrado un fallo en la funcionalidad Multipart input file de OpenEXR. Un archivo de entrada multiparte diseñado sin partes reales puede desencadenar una desreferencia de puntero NULL. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema

An update that fixes 7 vulnerabilities is now available. This update for openexr fixes the following issues. Fixed Out-of-memory in B44Compressor. Fixed Null-dereference READ in Imf_2_5:Header:operator. Fixed Integer-overflow in Imf_2_5:hufUncompress. Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot. Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer. Fixed Undefined-shift in Imf_2_5:hufDecode.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-17 CVE Reserved
2021-08-20 CVE Published
2024-08-03 CVE Updated
2025-08-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740	2022-12-13
https://bugzilla.redhat.com/show_bug.cgi?id=1939154	2022-12-13
https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f	2022-12-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openexr Search vendor "Openexr"		Openexr Search vendor "Openexr" for product "Openexr"				< 2.5.4 Search vendor "Openexr" for product "Openexr" and version " < 2.5.4"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected