CVE-2020-35492
published 2021-03-18CVE-2020-35492: A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's…
PriorityP337high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.11%
61.9th percentile
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cairographics | cairo | < 1.17.4 | 1.17.4 |
| cairographics | cairo | — | — |
| cairographics | cairo | >= 0 < 1.16.0-5 | 1.16.0-5 |
| cairographics | cairo | >= 0 < 1.16.0-5 | 1.16.0-5 |
| cairographics | cairo | >= 0 < 1.16.0-5 | 1.16.0-5 |
| cairographics | cairo | >= 0 < 1.16.0-5 | 1.16.0-5 |
| cairographics | cairo | >= 0 < 1.16.0-5ubuntu2.1 | 1.16.0-5ubuntu2.1 |
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm1 | 1.14.6-1ubuntu0.1~esm1 |
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm2 | 1.14.6-1ubuntu0.1~esm2 |
| cairographics | cairo | >= 0 < 1.15.10-2ubuntu0.1+esm1 | 1.15.10-2ubuntu0.1+esm1 |
| cairographics | cairo | >= 0 < 1.16.0-4ubuntu1+esm1 | 1.16.0-4ubuntu1+esm1 |
| debian | cairo | < cairo 1.16.0-5 (bookworm) | cairo 1.16.0-5 (bookworm) |
| msrc | cm1_cairo_1.17.4-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cairo vulnerabilities
osv·2026-04-02·CVSS 7.5
CVE-2017-9814 [HIGH] cairo vulnerabilities
cairo vulnerabilities
Alberto Garcia, Francisco Oca and Suleman Ali discovered that Cairo did
not properly manage memory. An attacker could possibly use this issue to
cause Cairo to crash, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2017-9814)
It was discovered that Cairo incorrectly handled certain angle values when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
crash, resulting in a denial of service. (CVE-2019-6461)
It was discovered that Cairo incorrectly handled certain calculations when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
consume resources, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubun
GHSA
GHSA-65pg-7gjm-q28m: A flaw was found in cairo's image-compositor
ghsa_unreviewed·2022-05-24
CVE-2020-35492 [HIGH] CWE-121 GHSA-65pg-7gjm-q28m: A flaw was found in cairo's image-compositor
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
OSV
cairo vulnerabilities
osv·2022-05-10·CVSS 5.5
CVE-2016-9082 [MEDIUM] cairo vulnerabilities
cairo vulnerabilities
Gustavo Grieco, Alberto Garcia, Francisco Oca, Suleman Ali, and others
discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-9082, CVE-2017-9814, CVE-2019-6462)
Stephan Bergmann discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2020-35492)
OSV
CVE-2020-35492: A flaw was found in cairo's image-compositor
osv·2021-03-18·CVSS 7.8
CVE-2020-35492 [HIGH] CVE-2020-35492: A flaw was found in cairo's image-compositor
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Ubuntu
Cairo vulnerabilities
vendor_ubuntu·2026-04-02·CVSS 7.5
CVE-2019-6462 [HIGH] Cairo vulnerabilities
Title: Cairo vulnerabilities
Summary: Several security issues were fixed in Cairo.
Alberto Garcia, Francisco Oca and Suleman Ali discovered that Cairo did
not properly manage memory. An attacker could possibly use this issue to
cause Cairo to crash, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2017-9814)
It was discovered that Cairo incorrectly handled certain angle values when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
crash, resulting in a denial of service. (CVE-2019-6461)
It was discovered that Cairo incorrectly handled certain calculations when
drawing arcs. An attacker could possibly use this issue to cause Cairo to
consume resources, resulting in a denial of service. This i
Ubuntu
Cairo vulnerabilities
vendor_ubuntu·2022-05-10·CVSS 5.5
CVE-2017-9814 [MEDIUM] Cairo vulnerabilities
Title: Cairo vulnerabilities
Summary: Several security issues were fixed in cairo.
Gustavo Grieco, Alberto Garcia, Francisco Oca, Suleman Ali, and others
discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-9082, CVE-2017-9814, CVE-2019-6462)
Stephan Bergmann discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2020-35492)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example by convincing
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2020-35492 [HIGH] CWE-787 A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example by convincing
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example by convincing a user to open a file in an application using cairo or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality integrity as well as system availability.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open so
Red Hat
cairo: libreoffice slideshow aborts with stack smashing in cairo's composite_boxes
vendor_redhat·2020-12-28·CVSS 7.8
CVE-2020-35492 [HIGH] CWE-121 cairo: libreoffice slideshow aborts with stack smashing in cairo's composite_boxes
cairo: libreoffice slideshow aborts with stack smashing in cairo's composite_boxes
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
A flaw was found in cairo's image-compositor.c. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an applicatio
Debian
CVE-2020-35492: cairo - A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. ...
vendor_debian·2020·CVSS 7.8
CVE-2020-35492 [HIGH] CVE-2020-35492: cairo - A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. ...
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Scope: local
bookworm: resolved (fixed in 1.16.0-5)
bullseye: resolved (fixed in 1.16.0-5)
forky: resolved (fixed in 1.16.0-5)
sid: resolved (fixed in 1.16.0-5)
trixie: resolved (fixed in 1.16.0-5)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-18
Published