CVE-2023-43641 — Out-of-bounds Write in Libcue

CWE-787 — Out-of-bounds Write7 documents6 sources

Severity

8.8HIGHNVD

EPSS

80.2%

top 0.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lipnitsk Libcue Debian Libcue Debian Linux +1 more

Timeline

PublishedOct 9

Latest updateOct 17

Description

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code e…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/libcue< libcue 2.2.1-4+deb12u1 (bookworm)

▶NVDlipnitsk/libcue< 2.3.0

▶Debianlipnitsk/libcue< 2.2.1-3+deb11u1+3

▶CVEListV5lipnitsk/libcue2.2.1

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-43641: libcue provides an API for parsing and extracting data from CUE sheets↗2023-10-09

▶

📋Vendor Advisories

Ubuntu

CUE vulnerability↗2023-10-17

▶

Red Hat

libcue: out-of-bounds array access leads to RCE↗2023-10-09

▶

Ubuntu

CUE vulnerability↗2023-10-09

▶

Debian

CVE-2023-43641: libcue - libcue provides an API for parsing and extracting data from CUE sheets. Versions...↗2023

▶

🕵️Threat Intelligence

Bleepingcomputer

GNOME Linux systems exposed to RCE attacks via file downloads↗2023-10-09

▶