CVE-2021-21798

high-risk
Published 2021-09-15

An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability.

Do I need to act?

!
63.4% chance of exploitation in next 30 days
EPSS score — higher than 37% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (2)

Affected Vendors

Gonitro

References (2)

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2021-1267
Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2021-1267
50
/ 100
high-risk
Severity 24/34 · High
Exploitability 19/34 · Moderate
Exposure 7/34 · Low