CVE-2021-42716
📋 TL;DR
A buffer overflow vulnerability in stb_image.h's PNM loader incorrectly interprets 16-bit PGM files as 8-bit, causing memory corruption when converting to RGBA. This could allow attackers to crash services or read up to 1024 bytes of heap data. Any application using stb_image.h to process PNM/PGM images is affected.
💻 Affected Systems
- stb_image.h library
- Applications embedding stb_image.h
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Stb Image.h by Nothings
⚠️ Risk & Real-World Impact
Worst Case
Service crash leading to denial of service, or limited information disclosure of heap memory contents (up to 1024 non-consecutive bytes without location control).
Likely Case
Application crash when processing malicious PNM/PGM files, causing denial of service.
If Mitigated
No impact if image processing is sandboxed or input validation prevents malicious files.
🎯 Exploit Status
Proof of concept exists in GitHub issues. Exploitation requires crafting a malicious PNM/PGM file that triggers the buffer overflow during image loading.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: stb_image.h version after commit fixing the issue (post October 2021)
Vendor Advisory: https://github.com/nothings/stb/issues/1166
Restart Required: Yes
Instructions:
1. Update stb_image.h to latest version from GitHub repository. 2. Recompile any applications using the library. 3. Restart affected services.
🔧 Temporary Workarounds
Disable PNM/PGM image support
allModify stb_image.h configuration to disable PNM/PGM format loading
# In stb_image.h, set STBI_NO_PNM before including the header
#define STBI_NO_PNM
Input validation for image files
allImplement server-side validation to reject PNM/PGM format uploads
🧯 If You Can't Patch
- Implement strict input validation to block PNM/PGM file uploads
- Sandbox image processing in isolated containers with memory limits
🔍 How to Verify
Check if Vulnerable:
Check if application uses stb_image.h version 2.27 or earlier and processes PNM/PGM images.Check Version:
# Check stb_image.h header for version or commit hash
# grep -i "version\|commit" stb_image.hVerify Fix Applied:
Verify stb_image.h version includes fix from GitHub commit addressing CVE-2021-42716.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing image files
- Memory access violation errors in logs
- Unexpected termination of image processing services
Network Indicators:
- Uploads of PNM/PGM format files to vulnerable endpoints
SIEM Query:
source="application.log" AND ("segmentation fault" OR "access violation" OR "buffer overflow") AND "image"🔗 References
- https://github.com/nothings/stb/issues/1166
- https://github.com/nothings/stb/issues/1225
- https://github.com/nothings/stb/pull/1223
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AF2CNP4FVC6LDKNOO4WDCGNDYIP3MPK6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEGXBDEMTFGINETMJENBZ6SCHVEJQJSY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CI23LXPEV2GCDQTJSKO6CIILBDTI3R42/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FTZXHFZD36BGE5P6JF252NZZLKMGCY4T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2M5CRSGPRF7G3YB5CLU4FXW7ANNHAYT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ID6II3RIKAMVGVMC6ZAQIXXYYDMTVC4N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXX76TJMZBPN3NU542MGN6B7C7QHRFGB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2YEXEAJWI76FPM7D7VXHWD3WESQEYC/
- https://github.com/nothings/stb/issues/1166
- https://github.com/nothings/stb/issues/1225
- https://github.com/nothings/stb/pull/1223
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AF2CNP4FVC6LDKNOO4WDCGNDYIP3MPK6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEGXBDEMTFGINETMJENBZ6SCHVEJQJSY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CI23LXPEV2GCDQTJSKO6CIILBDTI3R42/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FTZXHFZD36BGE5P6JF252NZZLKMGCY4T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2M5CRSGPRF7G3YB5CLU4FXW7ANNHAYT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ID6II3RIKAMVGVMC6ZAQIXXYYDMTVC4N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXX76TJMZBPN3NU542MGN6B7C7QHRFGB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2YEXEAJWI76FPM7D7VXHWD3WESQEYC/
