CVE-2021-42521

2022-08-2518:15:09

CWE-400

CWE-476

[email protected]

web.nvd.nist.gov

vtk

null pointer dereference

vulnerability

libxml2

xmldocgetrootelement

crash

nvd

cve-2021-42521

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

51.5%

JSON

There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn’t check the return value of libxml2 API ‘xmlDocGetRootElement’, and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may crash the application.

Affected configurations

NVD

Node

vtkvtkRange≤9.0.0

CPENameOperatorVersion
vtk:vtkvtkle9.0.0

CPE	Name	Operator	Version
vtk:vtk	vtk	le	9.0.0

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "vtk",
    "versions": [
      {
        "version": "VTK - 9.0.0 and before",
        "status": "affected"
      }
    ]
  }
]