CVE-2023-40032 — NULL Pointer Dereference in Libvips

CWE-476 — NULL Pointer Dereference6 documents5 sources

Severity

5.5MEDIUMNVD

OSV7.5

EPSS

0.1%

top 69.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libvips Fedoraproject Fedora

Timeline

PublishedSep 11

Latest updateOct 18

Description

libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5libvips/libvips< 8.14.4

▶NVDlibvips/libvips8.12.0 — 8.14.4

Also affects: Fedora 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

vips vulnerabilities↗2023-10-18

▶

CVEList

Potential segfault due to NULL pointer dereference in libvips↗2023-09-11

▶

OSV

CVE-2023-40032: libvips is a demand-driven, horizontally threaded image processing library↗2023-09-11

▶

📋Vendor Advisories

Ubuntu

VIPS vulnerabilities↗2023-10-18

▶

Debian

CVE-2023-40032: vips - libvips is a demand-driven, horizontally threaded image processing library. A sp...↗2023

▶