libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40032.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-476"
]
}"2026-07-09T11:34:53Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40032.json"
[
{
"id": "CVE-2023-40032-43d9abd1",
"digest": {
"line_hashes": [
"170885517102486561048185613424799958308",
"150193661409033258265602678708587110354",
"109078347619783598292904595682947213890",
"76840711283827397586893892035367920405",
"313025448846228725396297086299429834947",
"215663477939558576878433716517615608954",
"258350027842954322247583112206745139959",
"306457976830968174304940078345747825758",
"245006766294224326846210864899497322916",
"333596440597317500823770783302497869886",
"139160533008248596381614970975149558278",
"136030083114180078599185088963244874890"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
"deprecated": false,
"target": {
"file": "libvips/foreign/svgload.c"
}
},
{
"id": "CVE-2023-40032-6e475066",
"digest": {
"function_hash": "239181187404395919474088618731345168735",
"length": 819.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
"deprecated": false,
"target": {
"function": "vips_utf8_strcasestr",
"file": "libvips/foreign/svgload.c"
}
}
]