CVE-2022-26336

A carefully crafted TNEF file can cause an out of memory exception

Description

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.

References

Link	Tags
https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j	mailing list vendor advisory
https://security.netapp.com/advisory/ntap-20221028-0006/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-26336?: CVE-2022-26336 has been scored as a medium severity vulnerability.
How to fix CVE-2022-26336?: To fix CVE-2022-26336, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-26336 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-26336 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-26336?: CVE-2022-26336 affects Apache Software Foundation poi-scratchpad.

Description

Categories

CWE-20 – Improper Input Validation

CWE-770 – Allocation of Resources Without Limits or Throttling

References

Frequently Asked Questions