CVE-2021-42521

There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may crash the application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
fedoraCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
vtkvtk
𝑥
≤ 9.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vtk6
bullseye
vulnerable
bookworm
ignored
buster
no-dsa
vtk7
bullseye
vulnerable
bookworm
ignored
buster
no-dsa
vtk9
bullseye
no-dsa
bookworm
ignored
buster
no-dsa
sid
9.3.0+dfsg1-1
fixed
trixie
9.3.0+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
vtk
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
needs-triage
trusty
needs-triage
vtk6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
vtk7
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
dne
trusty
dne
vtk9
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549
https://gitlab.kitware.com/vtk/vtk/issues/17818
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PCTMSAAVP4BW2HTZLDWMGKZ2WEC5OFLK/
https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549
https://gitlab.kitware.com/vtk/vtk/issues/17818
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PCTMSAAVP4BW2HTZLDWMGKZ2WEC5OFLK/