Potential segfault due to NULL pointer dereference in libvips
CVE-2023-40032

5.5MEDIUM

Key Information:

Vendor: Libvips
Status: Libvips
Vendor: CVE Published:; 11 September 2023

🔔 Create Libvips Vulnerability Alert

What is CVE-2023-40032?

libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.

Affected Version(s)

libvips < 8.14.4

References

https://github.com/libvips/libvips/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/libvips/libvips/pull/3604

x_refsource_MISC

https://github.com/libvips/libvips/commit/e091d65835966ef...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 11, 2023
Vulnerability Reserved
Aug 8, 2023

CVE-2023-40032 Data

.