Login Sign Up

CVE-2021-33657

8.8 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-33657 is a heap buffer overflow vulnerability in SDL's BMP image parsing code. Attackers can exploit this by crafting malicious BMP files to cause denial of service or potentially execute arbitrary code. This affects any application using SDL 2.x up to version 2.0.18 that processes BMP images.

💻 Affected Systems

Products:
  • SDL (Simple DirectMedia Layer)
Versions: 2.x to 2.0.18
Operating Systems: All platforms supported by SDL (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using SDL's image loading functionality for BMP files is vulnerable by default.

📦 What is this software?

Simple Directmedia Layer by Libsdl

View all CVEs affecting Simple Directmedia Layer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable application processes attacker-controlled BMP files.

🟠

Likely Case

Application crash and denial of service when processing malicious BMP files.

🟢

If Mitigated

Limited impact if BMP file processing is restricted to trusted sources or disabled.

🌐 Internet-Facing: MEDIUM - Risk depends on whether the application accepts BMP files from untrusted sources over network interfaces.
🏢 Internal Only: LOW - Lower risk in controlled environments unless users can upload malicious BMP files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to process a malicious BMP file, which can be delivered via various vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SDL 2.0.20 and later

Vendor Advisory: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9

Restart Required: Yes

Instructions:

1. Update SDL to version 2.0.20 or later. 2. Recompile applications against the updated library. 3. Restart affected applications.

🔧 Temporary Workarounds

Disable BMP file processing

all

Modify applications to disable BMP image loading functionality.

Application-specific configuration changes required

Input validation

all

Implement strict validation of BMP files before processing.

Implement file signature and size validation in application code

🧯 If You Can't Patch

  • Restrict BMP file processing to trusted sources only
  • Implement application sandboxing to limit potential damage from exploitation

🔍 How to Verify

Check if Vulnerable:

Check SDL version: applications using SDL version 2.0.18 or earlier are vulnerable.

Check Version:

On Linux: sdl2-config --version or check library files. On Windows: Check DLL version properties.

Verify Fix Applied:

Verify SDL version is 2.0.20 or later and applications have been recompiled against it.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing BMP files
  • Memory access violation errors in application logs

Network Indicators:

  • Unusual BMP file transfers to applications using SDL

SIEM Query:

Application logs containing 'segmentation fault', 'access violation', or 'heap corruption' during BMP file processing

📊 Metadata

CVE ID: CVE-2021-33657
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 1, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33657, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)