CVE-2023-45666
CVE-2023-45666 is a high-severity vulnerability in Nothings Stb Image.h with a CVSS 3.x base score of 7.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-415.
Key facts
- Severity: High (CVSS 3.x base score 7.3)
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-415
- Affected product: Nothings Stb Image.h
- Published:
- Last modified:
Description
stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
Frequently asked questions
- What is CVE-2023-45666?
- stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
- How severe is CVE-2023-45666?
- CVE-2023-45666 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2023-45666 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-45666?
- CVE-2023-45666 affects Nothings Stb Image.h. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-45666?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-45666 published?
- CVE-2023-45666 was published on 2023-10-21 and last updated on 2026-06-17.
References
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L6957
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L6962-L7045
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR/
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/
Affected products (1)
- cpe:2.3:a:nothings:stb_image.h:2.28:*:*:*:*:*:*:*
More vulnerabilities in Nothings Stb Image.h
- CVE-2022-28042 — High (CVSS 8.8): stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
- CVE-2019-19777 — High (CVSS 8.8): stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read…
- CVE-2018-16981 — High (CVSS 8.8): stb stb_image.h 2.19, as used in catimg, Emscripten, and other products, has a heap-based buffer overflow in the…
- CVE-2023-45664 — High (CVSS 7.3): stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger…
- CVE-2021-42716 — High (CVSS 7.1): An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when…
- CVE-2023-43281 — Medium (CVSS 6.5): Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a…
All CVEs affecting Nothings Stb Image.h →
Other CWE-415 (Double Free) vulnerabilities
- CVE-2018-0101 — Critical (CVSS 10.0): A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA)…
- CVE-2026-8925 — Critical (CVSS 9.8): The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing…
- CVE-2020-37239 — Critical (CVSS 9.8): libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety…
- CVE-2026-43414 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double…
- CVE-2026-43011 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When…
- CVE-2026-31609 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in…