Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2023-45664

Double Free

Published: Oct 21, 2023 | Modified: Nov 21, 2024
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-45664
CWEhttps://cwe.mitre.org/data/definitions/415.html

stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger stbi__load_gif_main_outofmem attempt to double-free the out variable. This happens in stbi__load_gif_main because when the layers * stride value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.

Weakness

The product calls free() twice on the same memory address.

Affected Software

NameVendorStart VersionEnd Version
Stb_image.hNothings2.28 (including)2.28 (including)
LibstbUbuntubionic*
LibstbUbuntufocal*
LibstbUbuntulunar*
LibstbUbuntumantic*
LibstbUbuntuoracular*
LibstbUbuntuplucky*
LibstbUbuntutrusty*
LibstbUbuntuxenial*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use