CVE-2021-43579

moderate-risk
Published 2022-01-10

A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim converts an HTML document linking to a crafted BMP file.

Do I need to act?

~
5.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
52425
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (2)

Affected Vendors

Debian Htmldoc Project

References (10)

Patch https://github.com/michaelrsweet/htmldoc/commit/27d08989a5a567155d506ac870ae7d8c...
Release Notes https://github.com/michaelrsweet/htmldoc/compare/v1.9.12...v1.9.13
Exploit https://github.com/michaelrsweet/htmldoc/issues/453
Exploit https://github.com/michaelrsweet/htmldoc/issues/456
Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00022.html
Patch https://github.com/michaelrsweet/htmldoc/commit/27d08989a5a567155d506ac870ae7d8c...
Release Notes https://github.com/michaelrsweet/htmldoc/compare/v1.9.12...v1.9.13
Exploit https://github.com/michaelrsweet/htmldoc/issues/453
Exploit https://github.com/michaelrsweet/htmldoc/issues/456
Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00022.html
40
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 9/34 · Low
Exposure 7/34 · Low