CVE-2021-28307
Description
An issue was discovered in the fltk crate before 0.15.3 for Rust. There is a NULL pointer dereference during attempted use of a non-raster image for a window icon.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in fltk-rs before 0.15.3 allows crashes when a non-raster image is used as a window icon.
Vulnerability
The fltk crate for Rust, before version 0.15.3, contains a NULL pointer dereference vulnerability in the WindowExt::set_icon function. This occurs when a non-raster image type (such as a Pixmap) is passed as the window icon, leading to a NULL pointer access [1][2][3].
Exploitation
An attacker or malicious input could cause an application using fltk-rs to set a non-raster image as the window icon, triggering the dereference. This requires the application to accept external image data or user-controlled icon paths. The vulnerability is reachable without authentication, as it stems from improper image type validation [3][4].
Impact
Successful exploitation results in a segmentation fault (crash) due to the NULL pointer dereference. In multithreaded or sensitive environments, this may lead to denial of service or potentially undefined behavior [2][3].
Mitigation
The issue is fixed in fltk-rs version 0.15.3 and later. Users should update their dependencies accordingly. No workaround is described other than avoiding the use of non-raster images as window icons [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fltkcrates.io | < 0.15.3 | 0.15.3 |
Affected products
2- fltk/fltkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7qcc-g2m9-8533ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-28307ghsaADVISORY
- github.com/MoAlyousef/fltk-rs/issues/519ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0038.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.