CVE-2021-28306

The vulnerability resides in the Rust fltk crate, which provides bindings for the FLTK GUI library. The bug is a NULL pointer dereference that occurs when a widget's label type is set to LabelType::Multi and the widget has no associated image (i.e., the image is nonexistent). This lack of a proper null check leads to undefined behavior when the library attempts to use the null pointer as if it pointed to a valid image structure.

An attacker can exploit this issue by crafting a GUI application that uses the vulnerable LabelType::Multi on a widget without providing an image. The attack does not require special network access; it can be triggered locally by the application's code itself. Note that the vulnerability is specific to the fltk crate versions before 0.15.2 (for the affected function WidgetExt::set_label_type) and earlier versions as detailed in the advisory [1][3].

If successfully exploited, an attacker can cause a denial-of-service condition through a segmentation fault or potentially achieve memory corruption, leading to arbitrary code execution in the context of the application. The issue was discovered and reported through the RustSec advisory database [3] and the project's issue tracker [4].

Mitigation is available by upgrading the fltk crate to version 0.15.3 or later, which includes the fix. No workaround is necessary for users who update their dependencies accordingly [3].