Skip to main content

ThorVG CVE-2026-45729

| EUVDEUVD-2026-33722 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:29 vuln.today
Analysis Generated
Jun 01, 2026 - 19:29 vuln.today

DescriptionGitHub Advisory

Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.

AnalysisAI

Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.

Technical ContextAI

ThorVG is a C++ vector graphics engine used to render SVG, Lottie, and other formats. The vulnerable code path lives in src/loaders/svg/tvgSvgLoader.cpp. CWE-476 (NULL Pointer Dereference) applies: two distinct null-guard omissions were identified and fixed in PR #4387. First, SvgLoader::clear() lacked a check for ctx.parser being null before use. Second, SvgLoader::run() called root->ref() unconditionally; the fix changes this to if (root) root->ref(). Either condition can be triggered by a crafted SVG document, causing an immediate null pointer dereference and process crash. The 6-byte payload claim in the advisory indicates that a minimal, syntactically degenerate SVG document is sufficient to reach the vulnerable code path.

RemediationAI

Upgrade ThorVG to version 1.0.5, which is confirmed available at https://github.com/thorvg/thorvg/releases/tag/v1.0.5. The fix applies two null guards in src/loaders/svg/tvgSvgLoader.cpp (commit 159f44fd5e3d2eea1b3a70689a894e657e2bb079). If an immediate upgrade is not possible, the most effective compensating control is to reject or sanitize SVG input before it reaches Picture::load() - specifically, validate that input documents are non-empty and structurally well-formed before passing them to the ThorVG API; note that this does not guarantee safety against all malformed inputs but raises the bar above a 6-byte payload. Alternatively, disable SVG loading functionality entirely if it is not operationally required. For server-side deployments rendering user-supplied SVG, consider isolating the ThorVG rendering process in a sandbox (e.g., seccomp, container) so that a crash does not take down the entire service.

Share

CVE-2026-45729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy