CVE-2021-41253

2021-11-0800:00:00

ubuntu.com

zydis

library

heap buffer

overflows

memory corruption

uninitialized fields

formatter buffer

vulnerability

patch

workaround

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.7%

JSON

Zydis is an x86/x86-64 disassembler library. Users of Zydis versions v3.2.0
and older that use the string functions provided in zycore in order to
append untrusted user data to the formatter buffer within their custom
formatter hooks can run into heap buffer overflows. Older versions of Zydis
failed to properly initialize the string object within the formatter
buffer, forgetting to initialize a few fields, leaving their value to
chance. This could then in turn cause zycore functions like
ZyanStringAppend to make incorrect calculations for the new target size,
resulting in heap memory corruption. This does not affect the regular
uncustomized Zydis formatter, because Zydis internally doesn’t use the
string functions in zycore that act upon these fields. However, because the
zycore string functions are the intended way to work with the formatter
buffer for users of the library that wish to extend the formatter, we still
consider this to be a vulnerability in Zydis. This bug is patched starting
in version 3.2.1. As a workaround, users may refrain from using zycore
string functions in their formatter hooks until updating to a patched
version.