{"id":"CVE-2021-26567","details":"Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.","modified":"2026-04-11T13:54:01.942537Z","published":"2021-02-26T22:15:20.707Z","references":[{"type":"ADVISORY","url":"https://www.synology.com/security/advisory/Synology_SA_20_26"},{"type":"FIX","url":"https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/knik0/faad2","events":[{"introduced":"0"},{"fixed":"720f7004d6c4aabee19aad16e7c456ed76a3ebfa"}]},{"type":"GIT","repo":"https://github.com/knik0/faad2","events":[{"introduced":"0"},{"fixed":"720f7004d6c4aabee19aad16e7c456ed76a3ebfa"}]}],"versions":["FAAD2_2_5","FAAD2_2_7","arelease","ver_2_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"6.2.3-25426-3"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.2.7.1"}]},{"events":[{"introduced":"faad2"},{"fixed":"2.2.7.1"}]}],"vanir_signatures":[{"deprecated":false,"target":{"function":"main","file":"frontend/main.c"},"signature_version":"v1","id":"CVE-2021-26567-64dae37b","signature_type":"Function","digest":{"function_hash":"95742462205655087578236785053942125758","length":4736},"source":"https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"},{"deprecated":false,"target":{"file":"frontend/main.c"},"signature_version":"v1","id":"CVE-2021-26567-c5b40804","signature_type":"Line","digest":{"line_hashes":["306659755408664481554497882326530877476","213407387545487024536194668280215840308","148073088228211882827322902778678516414","16654748510347319609504716732749980679","330208000278894993203207276138467824409","297352587452118111443895761903390731583","320836221036234536879684924487166759834","124951596289727895763253951882181560404","19587932756649956852888588983105705900","138952740350482020137357106067673585353","204276984114376152072326174589153731527","291013805752271619024730546759320044380","323512358555906136900152563794785142316","229669719966857248386029785612329923687","41149201910957390574582480783513483136","251266136391002991049717518773052748937","318074296695251189569800443972256847883","265433941319363142317182450960142062579","188226239427061059445051681021010020172","212375895169298719516805237693641231011","81392596556405006199225184731851944896","135257427212578991870565203922282716675","73529895415045791327769103520526719311","316208917844620361821882407917060414594","189345695525901561662559109416882030903","129089615508674507602734237263448596672","256030286320760498250207455522929183010"],"threshold":0.9},"source":"https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"}],"vanir_signatures_modified":"2026-04-11T13:54:01Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-26567.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}