Critical severity9.8NVD Advisory· Published Jan 19, 2022· Updated Jun 17, 2026
CVE-2021-33912
CVE-2021-33912
Description
libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- libspf2/libspf2description
Patches
Vulnerability mechanics
References
4- nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosurenvdExploitThird Party Advisory
- github.com/shevek/libspf2/tree/8131fe140704eaae695e76b5cd09e39bd1dd220bnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2022/01/msg00015.htmlnvdMailing ListThird Party Advisory
- security.gentoo.org/glsa/202401-22nvd
News mentions
0No linked articles in our index yet.