CVE-2017-7960

MEDIUM

Gnome Libcroco - Out-of-Bounds Read

Title source: rule

Description

The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.

References (4)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.html

[Exploit, Patch, Third Party Advisory] https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/

[Patch, Third Party Advisory] https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394

[Third Party Advisory] https://security.gentoo.org/glsa/201707-13

Scores

CVSS v3 5.5

EPSS 0.0053

EPSS Percentile 67.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-125

Status published

Affected Products (3)

gnome/libcroco

n/a/n/a

Timeline

Published Apr 19, 2017

Tracked Since Feb 18, 2026