Login Sign Up

CVE-2023-45664

7.3 HIGH
Remote Code Execution

📋 TL;DR

A double-free vulnerability in stb_image library allows crafted GIF images to cause memory corruption. This affects any application using vulnerable versions of stb_image.h for image processing. In worst-case scenarios, this could lead to arbitrary code execution.

💻 Affected Systems

Products:
  • stb_image.h library
  • Applications embedding stb_image.h
Versions: stb_image.h versions before commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9
Operating Systems: All platforms using stb_image.h
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing GIF images with specific malformed layer configurations

📦 What is this software?

Stb Image.h by Nothings

View all CVEs affecting Stb Image.h →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution in multi-threaded environments due to memory corruption from double-free

🟠

Likely Case

Application crash or denial of service when processing malicious GIF files

🟢

If Mitigated

No impact if patched version is used or image processing is disabled

🌐 Internet-Facing: MEDIUM - Applications accepting user-uploaded images are vulnerable
🏢 Internal Only: LOW - Requires processing of crafted GIF files

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires multi-threaded environment and crafted GIF file processing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: stb_image.h commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9 or later

Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/

Restart Required: No

Instructions:

1. Update stb_image.h to latest version from GitHub repository
2. Recompile applications using the library
3. Test image processing functionality

🔧 Temporary Workarounds

Disable GIF processing

all

Disable GIF image support in applications using stb_image.h

# Modify source code to disable STBI_NO_GIF macro

🧯 If You Can't Patch

  • Implement strict file type validation for uploaded images
  • Use alternative image processing libraries for GIF files

🔍 How to Verify

Check if Vulnerable:

Check stb_image.h version against vulnerable commit hash in source code

Check Version:

grep -n 'stb_image.h' source_files | head -5

Verify Fix Applied:

Verify stb_image.h contains fix for CVE-2023-45664 in commit history

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during image processing
  • Memory corruption errors in logs

Network Indicators:

  • Unusual GIF file uploads to image processing endpoints

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "double free" OR "corrupted") AND "image"

📊 Metadata

CVE ID: CVE-2023-45664
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-415
Published: October 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45664, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)