CVE-2021-28465: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2021-28465) exists in Microsoft Windows Web Media Extensions, specifically within the parsing of FLAC files. The vulnerability was discovered in early 2021 and publicly disclosed on May 11, 2021. The issue affects Microsoft Web Media Extensions prior to version 1.0.40831.0 (NVD, ZDI-572).

The vulnerability stems from the lack of proper validation of user-supplied data during FLAC file parsing, which can result in an out-of-bounds write past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user at low integrity. The vulnerability affects confidentiality, integrity, and availability of the system (ZDI-572, ZDI-579).

Microsoft has released security updates to address this vulnerability. Users are advised to update to the latest version of Web Media Extensions (version 1.0.40831.0 or later) to protect against this vulnerability (NVD).