Primary

Context

lunasvg Segmentation Fault Vulnerability in Version 3.0.0

Vulnerability

Patched

A segmentation fault vulnerability has been identified in lunasvg version 3.0.0. This issue arises from a null pointer dereference in the 'plutovg_path_add_path' function, leading to a read memory access violation. The vulnerability can be triggered by specific SVG files that cause the application to attempt to read from an invalid memory address, resulting in a crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced by using the 'svg2png' command-line tool included with lunasvg. After compiling lunasvg with AddressSanitizer enabled, the tool can be run with SVG files that trigger the segmentation fault. This can be done by specifying the SVG file name and the desired output size.

Remediation

Users can update to lunasvg version 3.1.0, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

lunasvg Segmentation Fault Vulnerability in Version 3.0.0

Vulnerability

Impact

Reproduction

Remediation

Affected Products

lunasvg

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating