Back

messaging_ipc.dll NULL Pointer Dereference in multiple Bitdefender products (VA-10016)

Publication date: March 7th, 2022

CVE ID:

CVE-2021-4198

CVSS scrore:

6.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Affected vendors:

Bitdefender

Affected products:

- Bitdefender Total Security; Bitdefender Internet Security; Bitdefender Antivirus Plus; Bitdefender VPN Standalone; Bitdefender Endpoint Security Tools

Vulnerability details:

A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files.

This issue affects:
Bitdefender Total Security versions prior to 26.0.3.29.
Bitdefender Internet Security versions prior to 26.0.3.29.
Bitdefender Antivirus Plus versions prior to 26.0.3.29.
Bitdefender Endpoint Security Tools versions prior to 7.2.2.92.
Bitdefender VPN Standalone versions prior to 25.5.0.48.

Additional details:

An automatic update to these new product versions fixes the issue: - Bitdefender Total Security version 26.0.3.29 - Bitdefender Internet Security version 26.0.3.29 - Bitdefender Antivirus Plus version 26.0.3.29 - Bitdefender VPN Standalone version 25.5.0.48 - Bitdefender Endpoint Security Tools version 7.2.2.92

Credit:

Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative