CVE-2021-27036: 
Autodesk Design Review vulnerability analysis and mitigation

A maliciously crafted PCX, PICT, RCL, TIF, BMP, PSD or TIFF file can be used to write beyond the allocated buffer while parsing PCX, PDF, PICT, RCL, BMP, PSD or TIFF files in Autodesk Design Review. This vulnerability (CVE-2021-27036) was discovered in 2021 and affects multiple versions of Autodesk Design Review (2018, 2017, 2013, 2012, 2011). The vulnerability received a CVSS v3.1 score of 7.8 (High) (NVD).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) that occurs during the parsing of various file formats. The specific flaw exists within the parsing of PCX files, where there is a lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer (ZDI-21-1138). The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability can lead to arbitrary code execution in the context of the current process. The high CVSS score indicates that successful exploitation could result in a complete compromise of the system's confidentiality, integrity, and availability (Autodesk Advisory).

Autodesk has released security updates to address this vulnerability. Users of Autodesk Design Review 2018 are advised to install Hotfix 5. For earlier versions (2013 or earlier), users need to upgrade to version 2018 or later. The fix is available through the Autodesk Knowledge Network (Autodesk Advisory).