CVE-2021-26567

moderate-risk

Published 2021-02-26

Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.

Do I need to act?

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (5)

Diskstation Manager

Vs960Hd Firmware

Skynas Firmware

Diskstation Manager Unified Controller

Faad2

Affected Vendors

Synology Faad2 Project

References (4)

Patch https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa

Vendor Advisory https://www.synology.com/security/advisory/Synology_SA_20_26

Patch https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa

Vendor Advisory https://www.synology.com/security/advisory/Synology_SA_20_26

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 12/34 · Low