CVE-2023-40032
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
11/09/2023
Last modified:
21/04/2025
Description
libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:* | 8.12.0 (including) | 8.14.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b
- https://github.com/libvips/libvips/pull/3604
- https://github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU2FFC47X2XDEGEHEWAGLU5L3R6FEYD2/
- https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b
- https://github.com/libvips/libvips/pull/3604
- https://github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU2FFC47X2XDEGEHEWAGLU5L3R6FEYD2/