Primary

Context

lunasvg Segmentation Fault Vulnerability in gray_find_cell Component

Vulnerability

A segmentation fault vulnerability has been identified in lunasvg version 3.0.1. The issue arises in the gray_find_cell function within the plutovg-ft-raster.c file, leading to a segmentation violation when rendering SVGs with AddressSanitizer enabled. This vulnerability can be reproduced using the svg2png example included with the lunasvg distribution.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial of service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling lunasvg with Clang 16.0.6, using CMake with AddressSanitizer enabled. After building the application, the svg2png example can be run with a crafted SVG file that triggers the segmentation fault. The AddressSanitizer log will indicate the memory access violation, confirming the exploitation of the vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

lunasvg Segmentation Fault Vulnerability in gray_find_cell Component

Vulnerability

Impact

Reproduction

Affected Products

sammycage lunasvg

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating