Integer Overflow Vulnerability in GNU cpio Affects Arbitrary Code Execution
CVE-2021-38185
Key Information:
Badges
Summary
The GNU cpio product version 2.13 is vulnerable to an integer overflow that allows attackers to execute arbitrary code via a specially crafted pattern file. The issue stems from the ds_fgetstr function within the dstring.c file, which can lead to an out-of-bounds write in the heap memory, potentially compromising the security of the system. It remains unclear whether the pattern file is always considered untrusted data, opening avenues for exploitation under certain conditions.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
21% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved
- 🟡
Public PoC available
- 👾
Exploit known to exist