A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution. Upstream issue: https://developer.blender.org/T94572 Upstream patch: https://developer.blender.org/D11952
Created blender tracking bugs for this issue: Affects: epel-all [bug 2052009] Affects: fedora-all [bug 2052010]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Similar flaws were found and reported by Cisco Talos in 2017. For more information, see https://developer.blender.org/T52924 and https://blog.talosintelligence.com/2018/01/unpatched-blender-vulns.html.