[Libguestfs] hivex CVE-2021-3504

Richard W.M. Jones rjones at redhat.com
Mon May 3 10:25:41 UTC 2021

hivex is a library for reading and writing Windows Registry (hive)
files.  Jeremy Galindo, Sr Security Engineer at Datto.com found a flaw
caused by a lack of bounds checking in hivex_open which would cause
hivex to read memory beyond its normal bounds and/or cause the program
to crash.

A detailed description of the problem, and the patch is here:


This was assessed as having moderate impact and assigned
CVE-2021-3504.  The problem affects all version of hivex <= 1.3.19.
There is no workaround or mitigation, so you should apply the patch
above, or upgrade to hivex 1.3.20:


New packages will be available for Fedora, RHEL and Debian shortly.


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch

More information about the Libguestfs mailing list