CVE-2022-0545

An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.

Published: Feb 24, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-0545
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-190

Affected Software
References

Software	From	Fixed in
blender / blender	2.90.0	2.93.8
blender / blender	-	2.83.19
blender / blender	3.0.0	3.1.0
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://developer.blender.org/T94629
https://lists.debian.org/debian-lts-announce/2022/06/msg00021.html
https://www.debian.org/security/2022/dsa-5176

Vulnerability Database

289,697

CVE-2022-0545