CVE-2021-33912

CRITICAL9.8EPSS 1.3%

libspf2 - security update

Published: 1/19/2022Modified: 12/3/2025

Also known as:ALPINE-CVE-2021-33912

Description

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

Affected packages (3)

Alpine/libspf2from 0, < 1.2.11-r0
Debian/libspf2from 0, < 1.2.10-7.1~deb11u1
Debian/libspf2from 0, < 1.2.10-7+deb9u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-33912
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-33912