Description
libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.
References (4)
Core 4
Core References
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/YU2FFC47X2XDEGEHEWAGLU5L3R6FEYD2/
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584
Patch x_refsource_misc
https://github.com/libvips/libvips/pull/3604
Scores
CVSS v3
5.5
EPSS
0.0012
EPSS Percentile
30.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (2)
fedoraproject/fedora
39
libvips/libvips
8.12.0 - 8.14.4
Published
Sep 11, 2023
Tracked Since
Feb 18, 2026