{"id":"CVE-2021-34121","details":"An Out of Bounds flaw was discovered in htmodoc 1.9.12 in function parse_tree() in toc.cxx, this possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.","modified":"2026-04-11T17:26:02.691851Z","published":"2023-07-18T14:15:11.780Z","references":[{"type":"REPORT","url":"https://github.com/michaelrsweet/htmldoc/issues/433"},{"type":"FIX","url":"https://github.com/michaelrsweet/htmldoc/commit/c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/michaelrsweet/htmldoc","events":[{"introduced":"0"},{"last_affected":"df5d3010151a506c5ca138548aac02b37fb421f9"},{"fixed":"c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.9.12"}]}}],"versions":["v1.8.30","v1.9","v1.9.1","v1.9.10","v1.9.11","v1.9.12","v1.9.2","v1.9.3","v1.9.4","v1.9.5","v1.9.6","v1.9.7","v1.9.8","v1.9.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T17:26:02Z","vanir_signatures":[{"target":{"file":"htmldoc/toc.cxx"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["74472936324701239189179947801684959794","55580180163099579728845099083603032978","231033111055591428449326968688702924277","303997969498086735175972144008087743931","136510819407222469931225857097045581569","100158749094585702440104975060574168191","97712963103390346151417285033113446307","13284988194101387261281404540878254224","137382518336457156255975746276311425723","287813520798555027340572480736302173802","254945588430117492752515980571743176127","156204025338491728087573202223615622574","168663077649153838021288772676319525891","254398393026790181445279305241951985086","296165482441764967331596794215963612361","236265369848262205135683629570179297954","71083063379609633150757387859141477359","145440472088369733250762007428942013762","16915583702182578439167053626389893954","136510819407222469931225857097045581569","100158749094585702440104975060574168191","97712963103390346151417285033113446307","13284988194101387261281404540878254224","137382518336457156255975746276311425723","287813520798555027340572480736302173802","254945588430117492752515980571743176127","156204025338491728087573202223615622574","168663077649153838021288772676319525891","254398393026790181445279305241951985086","44741077306955054442309078345844855246","197920162013591409756134073573772798068","336227505502026829338264479970000741527","75524125170525172466023950428630577758","291686065635324859690916511548991378725","289867597641689174005533546182451973200","200115303295893617819073405178461201287","102897487371762264111961786911652767356","131960848055316204850756882972887752017","80206706498917876932199752486436634091","123510432370152088149460924722116747352","169753152734000138816479692849255581888","232193828316246666576817002314865459382","18043997377037808775833439037704654356","297344599869978593252793959677691625128","338071800844677981050550650841047104132","8327694540124008966890916077310382084","169753152734000138816479692849255581888","232193828316246666576817002314865459382","18043997377037808775833439037704654356","297344599869978593252793959677691625128","142021917151760295687777055444947702020","241691337226971162070895291377909663754","71084088347455066141909670200096205525","248927125995989411004129146597820987586","15308741516975336523258865184866678262","71084088347455066141909670200096205525","34971717123556518175246578456971330450","133487449318393087696886960813423433847","130712320544829847109540339138780468742","249340349533909115787145620551344029929"]},"deprecated":false,"signature_version":"v1","id":"CVE-2021-34121-0b0571b9","source":"https://github.com/michaelrsweet/htmldoc/commit/c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"},{"target":{"file":"htmldoc/util.cxx"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["254945588430117492752515980571743176127","156204025338491728087573202223615622574","168663077649153838021288772676319525891","254398393026790181445279305241951985086","44741077306955054442309078345844855246","161228786262266711974774693856062731782","334172515304612448522043642664865770953","254945588430117492752515980571743176127","156204025338491728087573202223615622574","168663077649153838021288772676319525891","254398393026790181445279305241951985086","44741077306955054442309078345844855246","53687306164478336945583600245266764876","202573574900019112966249430364816390849","30555600080420207520293975831967233764","257501766399087055453094261677246889426","205326247049602650948035894470933335776","92049542674518074564398348438764565333","64878590232215452664093487998837411876","170876604595952287167027538256230120476","202549502179174395069083155704864071137","334085483994834958771608232062383107278","298460166259424558923816723553143542298","257501766399087055453094261677246889426","205326247049602650948035894470933335776","92049542674518074564398348438764565333","64878590232215452664093487998837411876","170876604595952287167027538256230120476","17884904797321257895563039850523992234","251503093283914066320111701909458696156","169098607151100862233500256175542122871","338729493765452085523800935541878333584","26701777582607435092094014669621414737","253750924663450459927394914324965978205","121189069769601455198383315855945079537","251503093283914066320111701909458696156","169098607151100862233500256175542122871","338729493765452085523800935541878333584","26701777582607435092094014669621414737","1410986588060077616547208258867887209","197142122561619628631400298440340798294"]},"deprecated":false,"signature_version":"v1","id":"CVE-2021-34121-36b74391","source":"https://github.com/michaelrsweet/htmldoc/commit/c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"},{"target":{"file":"htmldoc/util.cxx","function":"format_number"},"signature_type":"Function","digest":{"length":1671,"function_hash":"51912260901529355829686230770584837860"},"deprecated":false,"signature_version":"v1","id":"CVE-2021-34121-6b46390f","source":"https://github.com/michaelrsweet/htmldoc/commit/c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"},{"target":{"file":"htmldoc/toc.cxx","function":"parse_tree"},"signature_type":"Function","digest":{"length":5870,"function_hash":"147639605279641305254013515483433268280"},"deprecated":false,"signature_version":"v1","id":"CVE-2021-34121-7fcb07d5","source":"https://github.com/michaelrsweet/htmldoc/commit/c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-34121.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}