CVE-2019-14906
moderate-risk
Published 2020-01-07
A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulnerability. This issue only affects Red Hat SDL packages, SDL versions through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow flaw while copying an existing surface into a new optimized one, due to a lack of validation while loading a BMP image, is possible. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or execute code.
Do I need to act?
~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
References (2)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14906
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14906
42
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
3/34 · Minimal
Exposure
7/34 · Low