Buffer overflow in Lipnitsk Libcue
CVE-2023-43641
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malic…
Vulnerability class: Buffer Overflow
EPSS: 0.803 (99.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Lipnitsk Libcue — versions <= 2.2.1
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/ (x_refsource_CONFIRM)
- https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj (x_refsource_MISC)
- https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea (x_refsource_MISC)
- https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e (x_refsource_MISC)
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- lists.debian.org/debian-lts-announce/2023/10/msg00018.html
- www.debian.org/security/2023/dsa-5524
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.html
Frequently asked questions
- What is CVE-2023-43641?
- CVE-2023-43641 is a high-severity vulnerability in Lipnitsk Libcue, classified under Out-of-bounds Write. CVSS score: 8.8/10. Published 2023-10-09.
- How severe is CVE-2023-43641?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2023-43641 known to be exploited?
- 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.