CVE-2023-43641
high-risk
Published 2023-10-09
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
Do I need to act?
!
80.2% chance of exploitation in next 30 days
EPSS score — higher than 20% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (7)
Affected Vendors
References (20)
Third Party Advisory
https://www.debian.org/security/2023/dsa-5524
Third Party Advisory
https://www.debian.org/security/2023/dsa-5524
64
/ 100
high-risk
Severity
30/34 · Critical
Exploitability
20/34 · Moderate
Exposure
14/34 · Moderate