CVE-2023-45664

Double-free in stbi__load_gif_main_outofmem in stb_image

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.

stb_image es una librería con licencia MIT de un solo archivo para procesar imágenes. Un archivo de imagen manipulado puede provocar que `stbi__load_gif_main_outofmem` intente liberar dos veces la variable out. Esto sucede en `stbi__load_gif_main` porque cuando el valor de `layers * stride` es cero, el comportamiento está definido por la implementación, pero es común que la realloc libere la memoria antigua y devuelva un puntero nulo. Dado que intenta liberar dos veces la memoria unas pocas líneas debajo de la primera "free", el problema sólo puede explotarse en un entorno de subprocesos múltiples. En el peor de los casos, esto puede provocar la ejecución del código.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-10 CVE Reserved
2023-10-20 CVE Published
2024-09-12 CVE Updated
2024-10-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-415: Double Free

CAPEC

References (5)

URL	Tag	Source
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L6993-L6995	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nothings Search vendor "Nothings"		Stb Image.h Search vendor "Nothings" for product "Stb Image.h"				2.28 Search vendor "Nothings" for product "Stb Image.h" and version "2.28"		-		Affected