CVE-2021-3403

HIGH

Ytnef - Use After Free

Title source: rule

Description

In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file.

References (2)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1926967

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/Yeraze/ytnef/issues/85

Scores

CVSS v3 7.8

EPSS 0.0089

EPSS Percentile 75.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-415 CWE-416

Status published

Affected Products (3)

ytnef_project/ytnef

redhat/enterprise_linux

fedoraproject/fedora

Timeline

Published Mar 04, 2021

Tracked Since Feb 18, 2026