{"id":"CVE-2021-42917","details":"Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attackers to cause a denial of service due to improper length of values passed to istream.","modified":"2026-04-12T03:54:37.887017Z","published":"2021-11-01T19:15:07.910Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00009.html"},{"type":"REPORT","url":"https://github.com/xbmc/xbmc/issues/20305"},{"type":"FIX","url":"https://github.com/fuzzard/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237"},{"type":"FIX","url":"https://github.com/xbmc/xbmc/commit/48730b64494798705d46dfccc4029bd36d072df3"},{"type":"FIX","url":"https://github.com/xbmc/xbmc/pull/20306"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fuzzard/xbmc","events":[{"introduced":"0"},{"fixed":"80c8138c09598e88b4ddb6dbb279fa193bbb3237"}],"database_specific":{"source":"REFERENCES"}}],"versions":["14.0a2-Helix","14.0a3-Helix","14.0a4-Helix","14.0b1-Helix","14.0b2-Helix","14.0b3-Helix","14.0b4-Helix","14.0b5-Helix","14.0rc1-Helix","14.0rc2-Helix","14.0rc3-Helix","15.0a1-Isengard","15.0a2-Isengard","15.0b1-Isengard","15.0b2-Isengard","15.0rc1-Isengard","16.0a1-Jarvis","16.0a2-Jarvis","16.0a3-Jarvis","16.0a4-Jarvis","16.0b1-Jarvis","16.0b2-Jarvis","17.0a1-Krypton","17.0a2-Krypton","17.0a3-Krypton","17.0b1-Krypton","17.0b2-Krypton","17.0b3-Krypton","17.0b4-Krypton","17.0b5-Krypton","17.0b6-Krypton","Frodo_alpha1","Frodo_alpha2","Frodo_alpha3","Frodo_alpha4","Frodo_alpha5","Frodo_alpha6","Frodo_alpha7","Frodo_beta1","Frodo_beta2","Frodo_beta3","Frodo_rc1","Frodo_rc2","Frodo_rc3","Gotham_alpha1","Gotham_alpha10","Gotham_alpha11","Gotham_alpha2","Gotham_alpha3","Gotham_alpha4","Gotham_alpha5","Gotham_alpha6","Gotham_alpha7","Gotham_alpha8","Gotham_alpha9"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["152448986931517141631931618082030122476","173064288670576767280976837742951420035","15205614205871181415836855196701805972","336055780239469795852335282898795588148","203921010307016786020586253181146907182","39429620224066715997403372314622650447","268399885667487201733117008760641765433","196628942495930255134811054411820298455","163584444075878666636260034844832758028"],"threshold":0.9},"source":"https://github.com/fuzzard/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237","deprecated":false,"target":{"file":"xbmc/playlists/PlayListPLS.cpp"},"id":"CVE-2021-42917-413cd711"},{"signature_version":"v1","signature_type":"Function","digest":{"length":2008,"function_hash":"239015864931717022205884530245420625809"},"source":"https://github.com/fuzzard/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237","deprecated":false,"target":{"file":"xbmc/playlists/PlayListPLS.cpp","function":"CPlayListASX::LoadData"},"id":"CVE-2021-42917-8e438c3b"}],"vanir_signatures_modified":"2026-04-12T03:54:37Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42917.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/xbmc/xbmc","events":[{"introduced":"0"},{"fixed":"f44fdfbf675f30c01e7639177a34544e6a6b9dad"},{"fixed":"48730b64494798705d46dfccc4029bd36d072df3"}],"database_specific":{"cpe":"cpe:2.3:a:kodi:kodi:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"19.0"}]}}],"versions":["14.0a2-Helix","14.0a3-Helix","14.0a4-Helix","14.0b1-Helix","14.0b2-Helix","14.0b3-Helix","14.0b4-Helix","14.0b5-Helix","14.0rc1-Helix","14.0rc2-Helix","14.0rc3-Helix","15.0a1-Isengard","15.0a2-Isengard","15.0b1-Isengard","15.0b2-Isengard","15.0rc1-Isengard","16.0a1-Jarvis","16.0a2-Jarvis","16.0a3-Jarvis","16.0a4-Jarvis","16.0b1-Jarvis","16.0b2-Jarvis","17.0a1-Krypton","17.0a2-Krypton","17.0a3-Krypton","17.0b1-Krypton","17.0b2-Krypton","17.0b3-Krypton","17.0b4-Krypton","17.0b5-Krypton","17.0b6-Krypton","18.0-Leia","18.0a1-Leia","18.0a2-Leia","18.0a3-Leia","18.0b1-Leia","18.0b1v2-Leia","18.0b2-Leia","18.0b3-Leia","18.0b4-Leia","18.0b5-Leia","18.0rc1-Leia","18.0rc2-Leia","18.0rc3-Leia","18.0rc4-Leia","18.0rc5-Leia","18.0rc5.2-Leia","18.1-Leia","18.1rc1-Leia","18.2rc1-Leia","19.0-Matrix","19.0RC1-Matrix","19.0a1-Matrix","19.0a2-Matrix","19.0a3-Matrix","19.0b1-Matrix","19.0b1Android-Matrix","19.0b2-Matrix","Frodo_alpha1","Frodo_alpha2","Frodo_alpha3","Frodo_alpha4","Frodo_alpha5","Frodo_alpha6","Frodo_alpha7","Frodo_beta1","Frodo_beta2","Frodo_beta3","Frodo_rc1","Frodo_rc2","Frodo_rc3","Gotham_alpha1","Gotham_alpha10","Gotham_alpha11","Gotham_alpha2","Gotham_alpha3","Gotham_alpha4","Gotham_alpha5","Gotham_alpha6","Gotham_alpha7","Gotham_alpha8","Gotham_alpha9","master-last-commmit-before-python3-merge"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42917.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}