{"id":"CVE-2022-0546","details":"A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution.","modified":"2026-04-02T07:37:21.610849Z","published":"2022-02-24T19:15:09.807Z","related":["openSUSE-SU-2024:11859-1","openSUSE-SU-2025:15755-1","openSUSE-SU-2025:15756-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIZADV3AHTWZ2YKEFTVLNK3K4F4KTYLM/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/06/msg00021.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5176"},{"type":"FIX","url":"https://developer.blender.org/T94572"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/blender/blender","events":[{"introduced":"0"},{"last_affected":"09da7f489ad951eff5fc42f97a8079fafce12a89"},{"introduced":"0"},{"last_affected":"f1cca3055776be50f59dd4fb6de3018afb53d52c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.93.8"},{"introduced":"0"},{"last_affected":"3.0"}]}}],"versions":["2.72b","v2.25","v2.26","v2.27","v2.28","v2.28a","v2.28c","v2.30","v2.31","v2.31a","v2.32","v2.33","v2.33a","v2.34","v2.35","v2.35a","v2.36","v2.37","v2.37a","v2.40","v2.41","v2.42","v2.42a","v2.43","v2.44","v2.45","v2.46","v2.47","v2.48","v2.48a","v2.49","v2.49a","v2.49b","v2.50","v2.51","v2.52","v2.53","v2.54","v2.55","v2.56","v2.56a","v2.57","v2.57a","v2.57b","v2.58","v2.58a","v2.59","v2.60","v2.60a","v2.61","v2.63","v2.63a","v2.64","v2.64a","v2.65","v2.65a","v2.66","v2.66a","v2.67","v2.67a","v2.67b","v2.68","v2.68a","v2.69","v2.70","v2.70-rc","v2.70-rc2","v2.70a","v2.71","v2.71-rc1","v2.71-rc2","v2.72","v2.72-rc1","v2.72a","v2.72b","v2.73","v2.73-rc1","v2.73a","v2.74","v2.74-rc1","v2.74-rc2","v2.74-rc3","v2.74-rc4","v2.75","v2.75-rc1","v2.75-rc2","v2.75a","v2.76","v2.76-rc1","v2.76-rc2","v2.76-rc3","v2.76a","v2.76b","v2.77","v2.77-rc1","v2.77-rc2","v2.77a","v2.78","v2.78-rc1","v2.78-rc2","v2.78a","v2.78b","v2.78c","v2.79","v2.79-rc1","v2.79-rc2","v2.79a","v2.79b","v2.80","v2.80-rc1","v2.80-rc2","v2.80-rc3","v2.81","v2.81a","v2.82","v2.82a","v2.83","v2.83.1","v2.83.10","v2.83.12","v2.83.13","v2.83.14","v2.83.15","v2.83.16","v2.83.17","v2.83.18","v2.83.19","v2.83.2","v2.83.20","v2.83.3","v2.83.4","v2.83.5","v2.83.6","v2.83.6.1","v2.83.7","v2.83.8","v2.83.9","v2.90.0","v2.90.1","v2.91.0","v2.91.2","v2.92.0","v2.93.0","v2.93.1","v2.93.2","v2.93.3","v2.93.4","v2.93.5","v2.93.6","v2.93.7","v2.93.8","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0546.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}