Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.
AnalysisAI
Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.
Technical ContextAI
ThorVG is a C++ vector graphics engine used to render SVG, Lottie, and other formats. The vulnerable code path lives in src/loaders/svg/tvgSvgLoader.cpp. CWE-476 (NULL Pointer Dereference) applies: two distinct null-guard omissions were identified and fixed in PR #4387. First, SvgLoader::clear() lacked a check for ctx.parser being null before use. Second, SvgLoader::run() called root->ref() unconditionally; the fix changes this to if (root) root->ref(). Either condition can be triggered by a crafted SVG document, causing an immediate null pointer dereference and process crash. The 6-byte payload claim in the advisory indicates that a minimal, syntactically degenerate SVG document is sufficient to reach the vulnerable code path.
RemediationAI
Upgrade ThorVG to version 1.0.5, which is confirmed available at https://github.com/thorvg/thorvg/releases/tag/v1.0.5. The fix applies two null guards in src/loaders/svg/tvgSvgLoader.cpp (commit 159f44fd5e3d2eea1b3a70689a894e657e2bb079). If an immediate upgrade is not possible, the most effective compensating control is to reject or sanitize SVG input before it reaches Picture::load() - specifically, validate that input documents are non-empty and structurally well-formed before passing them to the ThorVG API; note that this does not guarantee safety against all malformed inputs but raises the bar above a 6-byte payload. Alternatively, disable SVG loading functionality entirely if it is not operationally required. For server-side deployments rendering user-supplied SVG, consider isolating the ThorVG rendering process in a sandbox (e.g., seccomp, container) so that a crash does not take down the entire service.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33722