| Name | CVE-2021-26826 |
| Description | A stack overflow issue exists in Godot Engine up to v3.2 and is caused by improper boundary checks when loading .TGA image files. Depending on the context of the application, attack vector can be local or remote, and can lead to code execution and/or system crash. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 982593 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| godot (PTS) | bookworm, bullseye | 3.2.3-stable-1 | vulnerable |
| trixie | 3.5.2-stable-2 | fixed |
| sid | 3.6+ds-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| godot | source | (unstable) | 3.5.1-stable-1 | | | 982593 |
Notes
[bookworm] - godot <no-dsa> (Minor issue)
[bullseye] - godot <no-dsa> (Minor issue)
[buster] - godot <no-dsa> (Minor issue)
https://github.com/godotengine/godot/pull/45701
https://github.com/godotengine/godot/commit/403e4fd08b0b212e96f53d926e6273e0745eaa5a (master)
https://github.com/godotengine/godot/commit/113b5ab1c45c01b8e6d54d13ac8876d091f883a8 (3.3-stable)