Security News > 2021 > December > Blackmagic fixes critical DaVinci Resolve code execution flaws

Blackmagic fixes critical DaVinci Resolve code execution flaws
2021-12-24 15:00

Blackmagic Software has recently addressed two security vulnerabilities in the highly popular DaVinci Resolve software that would allow attackers to gain code execution on unpatched systems.

As its developer Blackmagic claims, DaVinci Resolve is "Hollywood's most popular solution for editing" for Mac, Windows, and Linux.

The two remote code execution security flaws, tracked as CVE-2021-40417 and CVE-2021-40418, were discovered by Cisco Talos security researchers and are rated with a CVSSv3 severity score of 9.8/10. They're both caused by weaknesses found in DaVinci Resolve's DPDecoder service and are triggered by a heap-based buffer overflow when decoding a video file or an incorrect UUID when parsing video files.

Cisco Talos discovered the two code execution vulnerabilities while analyzing DaVinci Resolve, version 17.3.1.0005.

Blackmagic has since patched both bugs, and users are advised to update to DaVinci Resolve 17.4.3, the latest released version for their platform, as soon as possible.

You can find detailed info on how to install DaVinci Resolve software on your device in the DaVinci Resolve 17.4.3 changelog, released earlier this week.


News URL

https://www.bleepingcomputer.com/news/security/blackmagic-fixes-critical-davinci-resolve-code-execution-flaws/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-22 CVE-2021-40418 Use of Uninitialized Resource vulnerability in Blackmagicdesign Davinci Resolve 17.3.1.0005
When parsing a file that is submitted to the DPDecoder service as a job, the R3D SDK will mistakenly skip over the assignment of a property containing an object referring to a UUID that was parsed from a frame within the video container.
network
low complexity
blackmagicdesign CWE-908
critical
9.8
2021-12-22 CVE-2021-40417 Integer Overflow or Wraparound vulnerability in Blackmagicdesign Davinci Resolve 17.3.1.0005
When parsing a file that is submitted to the DPDecoder service as a job, the service will use the combination of decoding parameters that were submitted with the job along with fields that were parsed for the submitted video by the R3D SDK to calculate the size of a heap buffer.
network
low complexity
blackmagicdesign CWE-190
critical
9.8