CVE-2019-20446
MEDIUMlibrsvg < 2.46.2 - Denial of Service via Nested SVG Pattern Elements
Title source: llmDescription
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4436-1/
Vendor Advisory
https://gitlab.gnome.org/GNOME/librsvg/issues/515
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221111-0004/
Scores
CVSS v3
6.5
EPSS
0.0133
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (8)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
debian/debian_linux
9.0
fedoraproject/fedora
30
fedoraproject/fedora
31
gnome/librsvg
< 2.40.21
netapp/active_iq_unified_manager
opensuse/leap
15.1
Published
Feb 02, 2020
Tracked Since
Feb 18, 2026