Skip to main content

Stb Image H CVE-2023-45663

MEDIUM
Use of Uninitialized Resource (CWE-908)
2023-10-21 security-advisories@github.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 21, 2023 - 00:15 nvd
MEDIUM 5.5

DescriptionNVD

stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the stbi__hdr_load function and in the stbi__tga_load function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.

AnalysisAI

stb_image is a single file MIT licensed library for processing images. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Use of Uninitialized Resource (CWE-908), which allows attackers to access uninitialized memory causing crashes or information disclosure. stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the stbi__hdr_load function and in the stbi__tga_load function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer. Affected products include: Nothings Stb Image.H.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Initialize all variables, use compiler warnings for uninitialized access, use memory-safe languages.

CVE-2019-19777 HIGH POC
8.8 Dec 13

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i

CVE-2022-28042 HIGH POC
8.8 Apr 15

stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode. Rated

CVE-2018-16981 HIGH POC
8.8 Sep 12

stb stb_image.h 2.19, as used in catimg, Emscripten, and other products, has a heap-based buffer overflow in the stbi__o

CVE-2021-42716 HIGH POC
7.1 Oct 21

An issue was discovered in stb stb_image.h 2.27. Rated high severity (CVSS 7.1), this vulnerability is no authentication

CVE-2023-43281 MEDIUM POC
6.5 Oct 25

Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a cra

CVE-2022-28041 MEDIUM POC
6.5 Apr 15

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. Rated

CVE-2019-20056 MEDIUM POC
6.5 Dec 29

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__s

CVE-2023-45666 CRITICAL
9.8 Oct 21

stb_image is a single file MIT licensed library for processing images. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2023-43898 MEDIUM POC
5.5 Oct 03

Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. Rated medi

CVE-2023-45664 HIGH
8.8 Oct 21

stb_image is a single file MIT licensed library for processing images. Rated high severity (CVSS 8.8), this vulnerabilit

CVE-2023-45662 HIGH
8.1 Oct 21

stb_image is a single file MIT licensed library for processing images. Rated high severity (CVSS 8.1), this vulnerabilit

CVE-2023-45667 HIGH
7.5 Oct 21

stb_image is a single file MIT licensed library for processing images. Rated high severity (CVSS 7.5), this vulnerabilit

Share

CVE-2023-45663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy