CVE-2021-29096: 
Esri ArcGIS ArcReader vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2021-29096) was discovered in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier). The vulnerability was reported on December 4, 2020, and publicly disclosed on March 30, 2021. The flaw exists within the parsing of PMF files, allowing an unauthenticated attacker to achieve arbitrary code execution in the context of the current user (ZDI Advisory, NIST NVD).

The vulnerability is classified as a Use-After-Free (CWE-416) issue that occurs during the parsing of specially crafted PMF files. The specific flaw allows a pointer to be reused after it has been freed. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (NIST NVD, Esri Blog).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current user. The high CVSS score reflects the severe potential impact on confidentiality, integrity, and availability of the affected systems (ZDI Advisory).

Esri has released official updates to address this vulnerability. For ArcGIS Pro users, version 2.7.1 or later is recommended. The vendor has confirmed the fix and marked it as an official remediation (Esri Blog).