CVE-2021-45944

Vulnerability

GhostPDL versions 9.50 through 9.53.3 contain a use-after-free vulnerability in the sampled_data_sample function, which is called from sampled_data_continue and interp. This flaw resides in the Ghostscript PostScript interpreter and can be triggered when processing crafted PostScript or PDF files that invoke the sampled data functions. The issue was discovered through OSS-Fuzz (OSV-2021-237) and affects the GhostPDL product line [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted PostScript or PDF file that causes the sampled_data_sample function to access memory after it has been freed. No authentication is required; the attack vector is local or remote via file upload/processing. The attacker must entice a user or an automated system to open the malicious file with a vulnerable version of GhostPDL. The exact sequence involves crafting input that triggers the use-after-free condition during sampled data processing, potentially leading to memory corruption [1][2].

Impact

Successful exploitation of the use-after-free could result in information disclosure, memory corruption, or arbitrary code execution. The impact is dependent on how the freed memory is reused after the vulnerability is triggered. In the context of GhostPDL as a component in printer drivers or document processing, this could lead to remote code execution with the privileges of the affected service or user [1][2].

Mitigation

The vulnerability is fixed in GhostPDL versions after 9.53.3. The fixing commit is 7861fcad13c497728189feafb41cd57b5b50ea25 [1]. Users should upgrade to GhostPDL 9.54.0 or later. No workarounds are provided; applying the patch or updating to the latest version is the recommended action. There is no evidence this CVE is listed in the CISA KEV catalogue [1][2].