cbcvebase.
CVE-2023-43641
published 2023-10-09

CVE-2023-43641: libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the…

PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
16.57%
96.6th percentile
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlibcue< libcue 2.2.1-4+deb12u1 (bookworm)libcue 2.2.1-4+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
lipnitsklibcue< 2.3.02.3.0
lipnitsklibcue<= 2.2.1
lipnitsklibcue>= 0 < 2.2.1-3+deb11u12.2.1-3+deb11u1
lipnitsklibcue>= 0 < 2.2.1-4+deb12u12.2.1-4+deb12u1
lipnitsklibcue>= 0 < 2.2.1-4.12.2.1-4.1
lipnitsklibcue>= 0 < 2.2.1-4.12.2.1-4.1

Detection & IOCsextracted from sources · hover to see the quote

filename*.cue
processtracker-extract
  • Monitor the tracker-extract process for unexpected child process spawning or anomalous memory access patterns when parsing .cue files dropped into ~/Downloads.
  • Alert on .cue files written to ~/Downloads on GNOME desktop systems, as this is the trigger path for automatic exploitation via tracker-miners.
  • Confirmed working exploits exist for Ubuntu 23.04 and Fedora 38; prioritize detection and patching on these distributions.
  • ·Red Hat Enterprise Linux 7, 8, and 9 are NOT affected because libcue is disabled in Red Hat builds of tracker-miners.
  • ·Exploitation requires the GNOME desktop environment with tracker-miners active and libcue enabled; non-GNOME or headless systems are not directly exposed via this attack vector.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.