Description
A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution.
References (4)
Core 4
Core References
Mitigation, Patch, Vendor Advisory x_refsource_misc
https://developer.blender.org/T94572
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIZADV3AHTWZ2YKEFTVLNK3K4F4KTYLM/
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/06/msg00021.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5176
Scores
CVSS v3
7.8
EPSS
0.0047
EPSS Percentile
64.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-190
Status
published
Products (7)
blender/blender
2.93.8
blender/blender
3.0
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/extra_packages_for_enterprise_linux
7.0
fedoraproject/fedora
34
Published
Feb 24, 2022
Tracked Since
Feb 18, 2026