CVE-2024-27929: Use After Free in SixLabors.ImageSharp

March 5, 2024 (updated March 6, 2024)

Impact

A heap-use-after-free flaw was found in ImageSharp’s InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.

Workarounds

None

References

None

References

github.com/SixLabors/ImageSharp
github.com/SixLabors/ImageSharp/pull/2688
github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r
github.com/advisories/GHSA-65x7-c272-7g7r
nvd.nist.gov/vuln/detail/CVE-2024-27929

Detect and mitigate CVE-2024-27929 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →