CVE-2023-45663
MEDIUMNothings Stb Image.h - Use of Uninitialized Resource
Title source: ruleDescription
stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR/
Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/
Third Party Advisory x_refsource_misc
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1664
Third Party Advisory x_refsource_misc
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L5936C10-L5936C20
Third Party Advisory x_refsource_misc
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L7221
Scores
CVSS v3
5.3
EPSS
0.0014
EPSS Percentile
34.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-908
Status
published
Products (1)
nothings/stb_image.h
2.28
Published
Oct 21, 2023
Tracked Since
Feb 18, 2026