CVE-2021-20304
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-20304
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20304.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-20304
- Downstream
- Related
- Published
- 2022-08-23T16:15:09Z
- Modified
- 2025-10-14T17:58:33.664013Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.
- References
-
- https://access.redhat.com/security/cve/CVE-2021-20304
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229
- https://bugzilla.redhat.com/show_bug.cgi?id=1939157
- https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e
- https://github.com/AcademySoftwareFoundation/openexr/pull/849
- https://security.gentoo.org/glsa/202210-31
Affected packages
Git / github.com/academysoftwarefoundation/openexr
Affected ranges
- Type
- GIT
- Repo
- https://github.com/academysoftwarefoundation/openexr
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/openexr/openexr
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affected
Affected versions
Other
OPENEXR_1_0_4
v1.*
v1.7.1
v2.*
v2.0.0
v2.0.0.GM
v2.0.0.beta.1
v2.0.0.beta.2
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.0-beta.1
v2.5.0
Database specific
vanir_signatures
[
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e",
"signature_version": "v1",
"target": {
"file": "OpenEXR/IlmImfTest/testHuf.cpp",
"function": "testHuf"
},
"digest": {
"length": 2275.0,
"function_hash": "142599679339278390775436878791618875818"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2021-20304-1679b5a0"
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e",
"signature_version": "v1",
"target": {
"file": "OpenEXR/IlmImf/ImfHuf.cpp"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"176619312443329297395995683934337352492",
"59153990626692811954531634974037640760",
"280545896845426792165423578461400660911",
"309647597067992837408997705700321225110",
"141598768638337190685828799387095221285",
"59153990626692811954531634974037640760",
"280545896845426792165423578461400660911",
"309647597067992837408997705700321225110"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2021-20304-6ed203c3"
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e",
"signature_version": "v1",
"target": {
"file": "OpenEXR/IlmImfTest/testHuf.cpp"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"228171475889809895756915103234311474723",
"211348541425446003625583645029424311982",
"222545151195002010839262331802745695684",
"123809418444615929039672465823495993606",
"306031592317467593999739769909832548872",
"193598449336170322423688275719092892213",
"220647300859224983045921492760598584090",
"309233654629791003679774693033524609444",
"176892776764325263697564536408034591675",
"302870813458771027071388532728739237970",
"65622425798390653163547072846514818453",
"324481768719202754334798637136831019229",
"74518275870084479626946575580973110792",
"25547727514522005730004821624133478644",
"192045751469172973298747441871730922438",
"169064724491124496309629145572533820457",
"70605626775562861260846711740508896634",
"336912429723870090733815642676619108296",
"264090073998771335898534733328542145183",
"33459033936443227971884969393598686629",
"157343517884968959420940233932383699525",
"217484807965665175555076214503207510777",
"212582678668068973043304443816156211788",
"146987967791660056920482051128956316123",
"28181326755556531652834973651246564785",
"15530598930675586033384845841442758547",
"73310869741949180931061619557243965044",
"49219954833732573551669314778185431154",
"16593618965901582378453485782345120607",
"16734837471453617396236581449079517855",
"259279471084525072680577058575438206187",
"339172337089939287073863202488435572964",
"162962803419591331999561202055992232360",
"160339307031519541974825522946510170088",
"248928860887032079536803703486856593194",
"95543963126749663113532997325630096147",
"262725096885756963894686980051447799753",
"123254625821067332210797903513762513825",
"215967715629149520871904108046953053179",
"259571171774974096463004149095353926018",
"17530655067539300605368381897296879015",
"204726315782173892977392348255435469678",
"121835337635973480034200840984423180024",
"90717070669660149296567427081734191442",
"306117669700701789329557307766814220802",
"61504472609169805676191128426594305503",
"231700399743187055041196899206247429277",
"122516485055760580003010398310676758913",
"292715507876607093012967690374352900416",
"294790973898164824799420648800640734466",
"48654327463988979693325979468071293396",
"117182805332597910880001768519839624159",
"210299331129128809525057974852222107539",
"133499141619372449062255351366039054991",
"328395463138226411156826626435888100621",
"324563290341814529990338541121290263692",
"94734063386315486169871614185358862762",
"9234868116249880552782520179074036286",
"80432001400659352278056457450787992504",
"245978996548651627931413661881799156804",
"140804272341884289952622574105365258196"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2021-20304-942f38ae"
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e",
"signature_version": "v1",
"target": {
"file": "OpenEXR/IlmImf/ImfHuf.cpp",
"function": "hufDecode"
},
"digest": {
"length": 1420.0,
"function_hash": "138934839704051101487035138836379312673"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2021-20304-f93effb1"
}
]