NULL Pointer Dereference Vulnerability in VTK by Kitware
CVE-2021-42521

7.5HIGH

Key Information:

Vendor: Vtk
Status: Vtk
Vendor: CVE Published:; 25 August 2022

What is CVE-2021-42521?

A NULL pointer dereference vulnerability exists in the Visualization Toolkit (VTK) prior to version 9.2.5. This vulnerability is found in the file IO/Infovis/vtkXMLTreeReader.cxx, where the return value of the libxml2 API function 'xmlDocGetRootElement' is not properly validated. If this function returns NULL, the application will attempt to dereference a NULL pointer, potentially leading to an unexpected application crash. It is crucial for users of affected VTK versions to apply updates to mitigate this risk and ensure application stability.

Affected Version(s)

vtk VTK - 9.0.0 and before

References

https://gitlab.kitware.com/vtk/vtk/issues/17818

https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 25, 2022
Vulnerability Reserved
Oct 15, 2021

CVE-2021-42521 Data

JSON

Vtk

What is CVE-2021-42521?

Affected Version(s)

References

CVSS V3.1

Timeline