CVE-2023-42103 – This is a use-after-free vulnerability in Ashla... (How to Fix)

Q: What is the severity of CVE-2023-42103?

CVE-2023-42103 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Ashlar-Vellum Cobalt's AR file parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious AR files or visiting malicious web pages. Users of Ashlar-Vellum Cobalt software are affected.

📋 TL;DR

This is a use-after-free vulnerability in Ashlar-Vellum Cobalt's AR file parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious AR files or visiting malicious web pages. Users of Ashlar-Vellum Cobalt software are affected.

💻 Affected Systems

Products:

Ashlar-Vellum Cobalt

Versions: All versions prior to patched version

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction to open malicious AR file or visit malicious webpage

📦 What is this software?

Cobalt by Ashlar

View all CVEs affecting Cobalt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware installation on the affected workstation, potentially leading to data exfiltration or persistence establishment.

🟢

If Mitigated

Limited impact due to application sandboxing, limited user privileges, or network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction but has been assigned a ZDI identifier (ZDI-CAN-20660) suggesting active research

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-1452/

Restart Required: Yes

Instructions:

1. Visit Ashlar-Vellum support portal
2. Download latest Cobalt update
3. Install update following vendor instructions
4. Restart system

🔧 Temporary Workarounds

Block AR file extensions

all

Prevent AR files from being opened by Cobalt

Application control

all

Restrict Cobalt from opening files from untrusted sources

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized execution
Use network segmentation to isolate affected systems
Educate users about not opening untrusted AR files
Monitor for suspicious process creation from Cobalt

🔍 How to Verify

Check if Vulnerable:

Check Cobalt version against vendor advisory

Check Version:

Check Help > About in Cobalt application

Verify Fix Applied:

Verify installed version matches patched version from vendor

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes of Cobalt
Suspicious child processes spawned from Cobalt
AR file parsing errors

Network Indicators:

Outbound connections from Cobalt to unknown IPs
DNS requests to suspicious domains after AR file processing

SIEM Query:

Process Creation where ParentImage contains 'cobalt' AND (CommandLine contains '.ar' OR Image contains suspicious patterns)

📊 Metadata

CVE ID: CVE-2023-42103

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 3, 2024

Last Updated: August 8, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1452/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1452/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42103, you might also want to check these: