#VU12123 Out-of-bounds write in Simple DirectMedia Layer - CVE-2018-3839

Cybersecurity Help s.r.o.

Published: 2018-04-24

Vulnerability identifier: #VU12123

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-3839

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Simple DirectMedia Layer
Client/Desktop applications / Multimedia software

Vendor: zlib license

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the XCF image rendering functionality due to out-of-bounds write on the heap. A remote attacker can display a specially crafted XCF image, trick the victim into opening it and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Simple DirectMedia Layer: 2.0.2

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3838

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for SDL2_Image

OpenSUSE Linux update for SDL2

Out-of-bounds write in sdl2_image (Alpine package)

Debian update for sdl-image1.2

Debian update for libsdl2-image