关键信息 漏洞概览 漏洞编号: CVE-2021-21772 漏洞类型: Use-After-Free (CWE-416) 受影响软件及版本: 3MF Consortium lib3mf 2.0.0 漏洞描述 A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. 漏洞细节 代码路径: 关键函数: , , 问题核心: 释放了 对象,但后续代码中仍访问该对象,导致 use-after-free。 CVSS评分 CVSS v3 Score: 8.1 向量: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 时间线 Vendor Disclosure: 2021-01-14 Public Release: 2021-03-10 作者 Credit: Discovered by Lilith of Cisco Talos. 代码片段 总结 The screenshot provides detailed information about a critical use-after-free vulnerability in the 3MF Consortium lib3mf library. Attackers can exploit this vulnerability by providing a malicious 3MF file, leading to potential code execution. The vulnerability arises due to improper handling of objects within the function.