CVE-2017-7960

low-risk

Published 2017-04-19

The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.

Do I need to act?

0.39% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (2)

Libcroco

Affected Vendors

Gnome

References (8)

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.html

Exploit https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-beh...

Patch https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e9...

Third Party Advisory https://security.gentoo.org/glsa/201707-13

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.html

Exploit https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-beh...

Patch https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e9...

Third Party Advisory https://security.gentoo.org/glsa/201707-13

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low