CVE-2023-40032

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-40032
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40032.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-40032
Downstream
Related
  • GHSA-33qp-9pq7-9584
Published
2023-09-11T19:15:43Z
Modified
2025-09-19T14:38:14.647246Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.

References

Affected packages

Git / github.com/libvips/libvips

Affected ranges

Type
GIT
Repo
https://github.com/libvips/libvips
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e091d65835966ef56d53a4105a7362cafdb1582b

Affected versions

v7.*

v7.28.0
v7.30.0

v8.*

v8.0-beta
v8.1
v8.10.0
v8.10.0-beta1
v8.10.0-beta2
v8.10.0-rc1
v8.10.0-rc2
v8.10.1
v8.10.2
v8.10.3
v8.10.4
v8.10.5
v8.10.6
v8.10.6-beta
v8.10.6-beta2
v8.11
v8.11.0
v8.11.0-rc1
v8.11.1
v8.11.2
v8.11.3
v8.11.4
v8.12.0
v8.12.0-rc1
v8.12.1
v8.12.2
v8.13.0
v8.13.0-pre1
v8.13.0-rc1
v8.13.0-rc2
v8.13.1
v8.13.2
v8.13.3
v8.14.0
v8.14.0-rc1
v8.14.1
v8.14.2
v8.14.3
v8.2.2
v8.2.3
v8.3.0
v8.4.2
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.5.9
v8.6.0
v8.6.0-alpha1
v8.6.0-alpha2
v8.6.0-alpha3
v8.6.0-alpha4
v8.6.0-alpha5
v8.6.0-beta1
v8.6.0-beta2
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.7.0
v8.7.0-alpha1
v8.7.0-alpha2
v8.7.0-rc1
v8.7.0-rc2
v8.7.0-rc3
v8.7.1
v8.7.2
v8.7.3
v8.7.4
v8.8.0
v8.8.0-rc1
v8.8.0-rc2
v8.8.0-rc3
v8.8.1
v8.8.2
v8.8.3
v8.9.0
v8.9.0-alpha1
v8.9.0-beta1
v8.9.0-beta2
v8.9.0-rc1
v8.9.0-rc2
v8.9.0-rc3
v8.9.0-rc4
v8.9.1
v8.9.2

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2023-40032-43d9abd1",
            "signature_type": "Line",
            "target": {
                "file": "libvips/foreign/svgload.c"
            },
            "digest": {
                "line_hashes": [
                    "170885517102486561048185613424799958308",
                    "150193661409033258265602678708587110354",
                    "109078347619783598292904595682947213890",
                    "76840711283827397586893892035367920405",
                    "313025448846228725396297086299429834947",
                    "215663477939558576878433716517615608954",
                    "258350027842954322247583112206745139959",
                    "306457976830968174304940078345747825758",
                    "245006766294224326846210864899497322916",
                    "333596440597317500823770783302497869886",
                    "139160533008248596381614970975149558278",
                    "136030083114180078599185088963244874890"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2023-40032-6e475066",
            "signature_type": "Function",
            "target": {
                "file": "libvips/foreign/svgload.c",
                "function": "vips_utf8_strcasestr"
            },
            "digest": {
                "function_hash": "239181187404395919474088618731345168735",
                "length": 819.0
            },
            "source": "https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}