### Key Information #### Vulnerability Overview - **CVE ID**: CVE-2021-21772 - **Vulnerability Type**: Use-After-Free (CWE-416) - **Affected Software & Version**: 3MF Consortium lib3mf 2.0.0 #### Vulnerability Description A use-after-free vulnerability exists in the `NMR::COpcPackageReader::releaseZIP()` functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can trigger this vulnerability by providing a malicious file. #### Vulnerability Details - **Code Path**: `NMR::COpcPackageReader::releaseZIP()` - **Key Functions**: `zip_close`, `zip_source_free`, `zip_discard` - **Core Issue**: `zip_source_free` frees the `zip_source` object, but subsequent code continues to access it, resulting in a use-after-free condition. #### CVSS Score - **CVSS v3 Score**: 8.1 - **Vector**: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H #### Timeline - **Vendor Disclosure**: 2021-01-14 - **Public Release**: 2021-03-10 #### Author - **Credit**: Discovered by Lilith of Cisco Talos. #### Code Snippets ```cpp // Key code snippets showing the issue: void COpcPackageReader::releaseZIP() { if (m_ZIParchive != nullptr) zip_close(m_ZIParchive); if (m_ZIPsource != nullptr) zip_source_close(m_ZIPsource); } // Inside zip_close: if (!src->write_callback && src->open_count == 0) { zip_source_free(src->src); return 0; } void zip_discard(zip_t *za) { if (src->src) { zip_source_free(src->src); } } ``` #### Summary The screenshot provides detailed information about a critical use-after-free vulnerability in the 3MF Consortium lib3mf library. Attackers can exploit this vulnerability by providing a malicious 3MF file, potentially leading to code execution. The vulnerability stems from improper handling of `zip_source` objects within the `releaseZIP()` function.