CVE-2021-21772

HIGH

lib3mf 2.0.0 - Use-After-Free in NMR::COpcPackageReader::releaseZIP()

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21772. PoCs published by 3dluvr.

AI-analyzed exploit summary This repository provides a precompiled lib3mf.dll for MeshMixer with a backported patch for CVE-2021-21772 and an updated zlib 1.3.1. It includes source code and references the original vulnerability report and patch commit.

Description

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

Exploits (1)

nomisec WRITEUP 1 stars
by 3dluvr · poc
https://github.com/3dluvr/New-lib3mf.dll-for-MeshMixer

This repository provides a precompiled lib3mf.dll for MeshMixer with a backported patch for CVE-2021-21772 and an updated zlib 1.3.1. It includes source code and references the original vulnerability report and patch commit.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: MeshMixer (using lib3mf.dll)
No auth needed
Prerequisites: Access to replace the lib3mf.dll file in MeshMixer's installation directory
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-4887
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202208-01

Scores

CVSS v3 8.1
EPSS 0.0434
EPSS Percentile 90.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (5)
3mf/lib3mf 2.0.0
debian/debian_linux 10.0
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
Published Mar 10, 2021
Tracked Since Feb 18, 2026