CVE-2021-31598: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_decode() performs incorrect memory handling while parsing crafted XML files, leading to a heap-based buffer overflow. The vulnerability was assigned CVE-2021-31598 and was disclosed on April 24, 2021. The vulnerability affects multiple software packages that use the ezXML library, including netcdf, netcdf-parallel, and scilab (NVD, Debian Security).

The vulnerability exists in the ezxml_decode() function where incorrect memory handling occurs during XML file parsing. The issue specifically involves an out-of-bounds write that corrupts heap memory by overwriting adjacent heap chunk size meta data. When attempting to free the corrupt heap memory, the target program crashes. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, SourceForge Bug).

The vulnerability can lead to program crashes due to heap memory corruption. When exploited, it primarily affects the availability of the system, as indicated by the CVSS scoring which shows high impact on availability but no impact on confidentiality or integrity (NVD).

Security updates have been released for affected packages. For Debian 9 stretch, the issue has been fixed in scilab version 5.5.2-4+deb9u1. The netcdf package has been fixed in version 1:4.9.0-1, and netcdf-parallel has also received security updates (Debian LTS).