CVE-2023-40032

Source
https://cve.org/CVERecord?id=CVE-2023-40032
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40032.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-40032
Aliases
  • GHSA-33qp-9pq7-9584
Downstream
Published
2023-09-11T18:34:59.025Z
Modified
2026-07-09T11:34:53.073738Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Potential segfault due to NULL pointer dereference in libvips
Details

libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40032.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/libvips/libvips

Affected ranges

Type
GIT
Repo
https://github.com/libvips/libvips
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "8.12.0"
        },
        {
            "fixed": "8.14.4"
        }
    ]
}

Affected versions

v8.*
v8.12.0
v8.13.0
v8.13.0-pre1
v8.13.0-rc1
v8.13.0-rc2
v8.14.0
v8.14.0-rc1
v8.14.1
v8.14.2
v8.14.3

Database specific

vanir_signatures_modified
"2026-07-09T11:34:53Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40032.json"
vanir_signatures
[
    {
        "id": "CVE-2023-40032-43d9abd1",
        "digest": {
            "line_hashes": [
                "170885517102486561048185613424799958308",
                "150193661409033258265602678708587110354",
                "109078347619783598292904595682947213890",
                "76840711283827397586893892035367920405",
                "313025448846228725396297086299429834947",
                "215663477939558576878433716517615608954",
                "258350027842954322247583112206745139959",
                "306457976830968174304940078345747825758",
                "245006766294224326846210864899497322916",
                "333596440597317500823770783302497869886",
                "139160533008248596381614970975149558278",
                "136030083114180078599185088963244874890"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
        "deprecated": false,
        "target": {
            "file": "libvips/foreign/svgload.c"
        }
    },
    {
        "id": "CVE-2023-40032-6e475066",
        "digest": {
            "function_hash": "239181187404395919474088618731345168735",
            "length": 819.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
        "deprecated": false,
        "target": {
            "function": "vips_utf8_strcasestr",
            "file": "libvips/foreign/svgload.c"
        }
    }
]