CVE-2021-40401

2022-02-0400:00:00

CWE-252

talos

www.cve.org

use-after-free vulnerability

rs-274x aperture definition

gerbv 2.7.0

gerbv 2.7.1

code execution

gerber file

attacker

malicious file

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

72.7%

JSON

A use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and Gerbv forked 2.7.1. A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Gerbv",
    "versions": [
      {
        "version": "Gerbv 2.7.0 ,Gerbv forked 2.7.1 ,Gerbv dev (commit b5f1eacd)",
        "status": "affected"
      }
    ]
  }
]