CVE-2019-6462
published 2019-01-16CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to…
PriorityP429medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
2.14%
79.8th percentile
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cairographics | cairo | — | — |
| cairographics | cairo | >= 0 < 1.17.8-3 | 1.17.8-3 |
| cairographics | cairo | >= 0 < 1.17.8-3 | 1.17.8-3 |
| cairographics | cairo | >= 0 < 1.16.0-5ubuntu2.1 | 1.16.0-5ubuntu2.1 |
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm1 | 1.14.6-1ubuntu0.1~esm1 |
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm2 | 1.14.6-1ubuntu0.1~esm2 |
| cairographics | cairo | >= 0 < 1.15.10-2ubuntu0.1+esm1 | 1.15.10-2ubuntu0.1+esm1 |
| cairographics | cairo | >= 0 < 1.16.0-4ubuntu1+esm1 | 1.16.0-4ubuntu1+esm1 |
| debian | cairo | < cairo 1.17.8-3 (forky) | cairo 1.17.8-3 (forky) |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_cairo_1.17.4-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.5LOW
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cairo vulnerabilities
osv·2026-04-02·CVSS 7.5
CVE-2017-9814 [HIGH] cairo vulnerabilities
cairo vulnerabilities
Alberto Garcia, Francisco Oca and Suleman Ali discovered that Cairo did
not properly manage memory. An attacker could possibly use this issue to
cause Cairo to crash, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2017-9814)
It was discovered that Cairo incorrectly handled certain angle values when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
crash, resulting in a denial of service. (CVE-2019-6461)
It was discovered that Cairo incorrectly handled certain calculations when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
consume resources, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubun
GHSA
GHSA-7m29-23h6-ccwp: An issue was discovered in cairo 1
ghsa_unreviewed·2022-05-13
CVE-2019-6462 [MEDIUM] CWE-835 GHSA-7m29-23h6-ccwp: An issue was discovered in cairo 1
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
OSV
cairo vulnerabilities
osv·2022-05-10·CVSS 5.5
CVE-2016-9082 [MEDIUM] cairo vulnerabilities
cairo vulnerabilities
Gustavo Grieco, Alberto Garcia, Francisco Oca, Suleman Ali, and others
discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-9082, CVE-2017-9814, CVE-2019-6462)
Stephan Bergmann discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2020-35492)
OSV
CVE-2019-6462: An issue was discovered in cairo 1
osv·2019-01-16·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462: An issue was discovered in cairo 1
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
Ubuntu
Cairo vulnerabilities
vendor_ubuntu·2026-04-02·CVSS 7.5
CVE-2019-6462 [HIGH] Cairo vulnerabilities
Title: Cairo vulnerabilities
Summary: Several security issues were fixed in Cairo.
Alberto Garcia, Francisco Oca and Suleman Ali discovered that Cairo did
not properly manage memory. An attacker could possibly use this issue to
cause Cairo to crash, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2017-9814)
It was discovered that Cairo incorrectly handled certain angle values when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
crash, resulting in a denial of service. (CVE-2019-6461)
It was discovered that Cairo incorrectly handled certain calculations when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
consume resources, resulting in a denial of service. This i
Ubuntu
Cairo vulnerabilities
vendor_ubuntu·2022-05-10·CVSS 5.5
CVE-2017-9814 [MEDIUM] Cairo vulnerabilities
Title: Cairo vulnerabilities
Summary: Several security issues were fixed in cairo.
Gustavo Grieco, Alberto Garcia, Francisco Oca, Suleman Ali, and others
discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-9082, CVE-2017-9814, CVE-2019-6462)
Stephan Bergmann discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2020-35492)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
vendor_redhat·2019-01-11·CVSS 6.5
CVE-2019-6462 [MEDIUM] CWE-835 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
A vulnerability was found in Cairo due to an infinite loop in the _arc_error_normalized function within cairo-arc.c, where an attacker can exploit this flaw by convincing a victim to open a specially crafted file, causing the application to enter an infinite loop and resulting in a denial of service.
Statement: This vulnerability is rated as a moderate because it allows a denial of service due to an infinite loop in the _arc_error_normalized function within cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized, explo
Microsoft
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c related to _arc_max_angle_for_tolerance_normalized.
vendor_msrc·2019-01-08·CVSS 6.5
CVE-2019-6462 [MEDIUM] CWE-835 An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c related to _arc_max_angle_for_tolerance_normalized.
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c related to _arc_max_angle_for_tolerance_normalized.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this
Debian
CVE-2019-6462: cairo - An issue was discovered in cairo 1.16.0. There is an infinite loop in the functi...
vendor_debian·2019·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462: cairo - An issue was discovered in cairo 1.16.0. There is an infinite loop in the functi...
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1.17.8-3)
sid: resolved (fixed in 1.17.8-3)
trixie: resolved (fixed in 1.17.8-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
bugzilla·2019-01-31·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
References:
https://gitlab.freedesktop.org/cairo/cairo/issues/353
Discussion:
Created cairo tracking bugs for this issue:
Affects: fedora-all [bug 1671400]
Created mingw-cairo tracking bugs for this issue:
Affects: epel-7 [bug 1671402]
Affects: fedora-all [bug 1671401]
---
*** Bug 1669026 has been marked as a duplicate of this bug. ***
---
openshift-online-3:
- hosts are affected (package is installed), but it is not used.
- containers are affected (package is installed), but this is limited to the medi
Bugzilla
CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
bugzilla·2019-01-31·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
Bugzilla
CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [epel-7]
bugzilla·2019-01-31·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [epel-7]
CVE-2019-6462 mingw-cairo: cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Us
Bugzilla
CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
bugzilla·2019-01-31·CVSS 6.5
CVE-2019-6462 [MEDIUM] CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
CVE-2019-6462 cairo: infinite loop in the function _arc_error_normalized in the file cairo-arc.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
https://github.com/TeamSeri0us/pocs/tree/master/gerbvhttps://gitlab.freedesktop.org/cairo/cairo/issues/353https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3Ehttps://github.com/TeamSeri0us/pocs/tree/master/gerbvhttps://gitlab.freedesktop.org/cairo/cairo/issues/353https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
2019-01-16
Published