CVE-2021-21772
Description
A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in lib3mf 2.0.0 allows code execution via a specially crafted 3MF file.
Vulnerability
A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() function of 3MF Consortium lib3mf version 2.0.0. The bug occurs during the reading of a crafted 3MF file, which is essentially a ZIP archive. When the library processes such a file, it can be triggered via Lib3MF::CReader::ReadFromBuffer or Lib3MF::CReader::ReadFromFile functions [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted 3MF file to an application using lib3mf. The attacker does not need authentication or user interaction beyond opening the malicious file. The vulnerability can be triggered remotely if the application accepts 3MF files from untrusted sources [1][2].
Impact
Successful exploitation leads to code execution in the context of the process using the library. The CVSS v3 score is 8.1 (High), with impacts to confidentiality, integrity, and availability [1][2].
Mitigation
As of the available references, no patch or fixed version has been disclosed. Users should monitor the lib3mf project for updates and consider restricting the processing of untrusted 3MF files as a workaround [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 3MF Consortium/lib3mfdescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHMMHD2EOMIVJ7EKZTJJMX4C7E6ZRWDL/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPBS642OYVA6DUKK3HZHEINVWEDZSMEU/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDGGB65YBQL662M3MOBNNJJNRNURW4TG/mitrevendor-advisory
- security.gentoo.org/glsa/202208-01mitrevendor-advisory
- www.debian.org/security/2021/dsa-4887mitrevendor-advisory
- talosintelligence.com/vulnerability_reports/TALOS-2020-1226mitre
- www.talosintelligence.com/vulnerability_reports/TALOS-2021-1226mitre
News mentions
0No linked articles in our index yet.