CVE-2021-43279

Vulnerability

An out-of-bounds write vulnerability exists in the U3D file reading procedure of the Open Design Alliance (ODA) PRC SDK prior to version 2022.10 [1][2]. Crafted data within a specially crafted U3D file can trigger a write past the end of an allocated buffer, leading to memory corruption.

Exploitation

Exploitation requires user interaction. An attacker must convince a target user to open a malicious U3D file (e.g., by visiting a malicious web page or opening a crafted file) within an application that uses the vulnerable ODA PRC SDK, such as ODAViewer [2]. No additional privileges beyond user-level access are required. The specific sequence involves parsing the malicious U3D data, which causes the SDK to write beyond the bounds of an allocated heap buffer.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [2]. Combined with other vulnerabilities, this can lead to full compromise of the affected application and potentially the underlying system, with impacts on confidentiality, integrity, and availability (CVSS 7.8) [2].

Mitigation

The vulnerability is fixed in ODA PRC SDK version 2022.10 [1]. Users should update to this version or later. If an immediate update is not possible, avoid opening untrusted U3D files in applications using the vulnerable SDK. No public evidence of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.