CVE-2021-45949: 
Ghostscript vulnerability analysis and mitigation

Ghostscript GhostPDL versions 9.50 through 9.54.0 contains a heap-based buffer overflow vulnerability in the sampleddatafinish function, which is called from sampleddatacontinue and interp functions. This vulnerability was discovered and disclosed in December 2021 (NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-787: Out-of-bounds Write) with a CVSS v3.1 base score of 5.5 (Medium). The attack vector is local (AV:L) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is unchanged (S:U), with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) (NVD).

The vulnerability primarily affects system availability through a heap-based buffer overflow, which could result in denial of service and potentially lead to arbitrary code execution if malformed document files are processed (Debian Security).

The vulnerability has been fixed in multiple distributions. Debian has released patches for various versions: version 9.26a~dfsg-0+deb9u8 for Debian 9 (stretch), version 9.27~dfsg-2+deb10u5 for the oldstable distribution (buster), and version 9.53.3~dfsg-7+deb11u2 for the stable distribution (bullseye). Users are recommended to upgrade their ghostscript packages to these patched versions (Debian Security).