Code execution vulnerabilities in DaVinci Resolve video editing software (CVE-2021-40417 and CVE-2021-40418)
CVE numbers – CVE-2021-40417 and CVE-2021-40418
Cisco Talos recently discovered two vulnerabilities in the DaVinci Resolve video editing software that could allow an adversary to execute code in the context of the application.
DaVinci Resolve is a non-linear video editing application from Blackmagic Software that is available on multiple operating systems.
Both these vulnerabilities exist in the DPDecoder service inside DaVinci Resolve.TALOS-2021-1426 (CVE-2021-40417) is a heap-based buffer overflow vulnerability that occurs when the application faces an integer overflow condition that leads to a sign extension while trying to decode a video file.
Alternatively, TALOS-2021-1427 (CVE-2021-40418) could also lead to code execution, but is instead triggered as the result of an uninitialized object member as a result of an incorrect UUID.
Blackmagic Design DaVinci Resolve, version 17.3.1.0005 tested and confirmed these versions of DaVinci could be exploited by this vulnerability.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.