CVE-2022-0545: Integer Overflow
First published: Thu Feb 24 2022(Updated: )
An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Blender Blender | <2.83.19 | |
| Blender Blender | >=2.90.0<2.93.8 | |
| Blender Blender | >=3.0.0<3.1.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/blender | 2.79.b+dfsg0-7+deb10u1 2.83.5+dfsg-5+deb11u1 3.4.1+dfsg-2 3.6.2+dfsg-2 | |
| Debian | =10.0 | |
| Debian | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://developer.blender.org/T94629
- https://lists.debian.org/debian-lts-announce/2022/06/msg00021.html
- https://www.debian.org/security/2022/dsa-5176
- https://developer.blender.org/D13744
- https://developer.blender.org/rB82858ca3f4e6dc6f840af9306c350900abd491fc
- https://developer.blender.org/rBe07f16776bca5e9494e6b143170f31d5eeb160ce
- https://developer.blender.org/rB63fdcbb5889e31b5f07d8d5c8e923cc57900fe1b
- https://security-tracker.debian.org/tracker/CVE-2022-0545
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-0545.
What is the severity of CVE-2022-0545?
The severity of CVE-2022-0545 is high with a CVSS score of 7.8.
What is the affected software?
The affected software is Blender versions up to 2.83.19, versions between 2.90.0 and 2.93.8, and versions between 3.0.0 and 3.1.0. It also affects Debian Linux versions 10.0 and 11.0 with the Blender package versions 2.79.b+dfsg0-7+deb10u1, 2.83.5+dfsg-5+deb11u1, 3.4.1+dfsg-2, and 3.6.2+dfsg-2.
What is the impact of CVE-2022-0545?
CVE-2022-0545 can lead to a write-what-where vulnerability and an out-of-bounds read vulnerability, potentially allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded.
How can I fix CVE-2022-0545?
To fix CVE-2022-0545, it is recommended to update to the latest version of Blender or apply the provided patches from the official Blender website or the Debian security advisory.
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/remedy
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/blender
- canonical/blender blender
- version/blender blender/2.90.0
- version/blender blender/3.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian
- canonical/debian
- version/debian/10.0
- version/debian/11.0