Impact
librsvg2-bin 2.40.13 contains a local buffer overflow that causes a segmentation fault when processing specially crafted SVG files. The overflow occurs in the cairo image compositor during SVG conversion, leading to a denial of service for the user running the rsvg command. The vulnerability is a classic stack-based buffer overflow (CWE‑120).
Affected Systems
The affected software is librsvg2-bin version 2.40.13, part of the RSVG image library stack on Linux distributions. Systems that run this binary and allow local users to invoke the rsvg conversion tool are susceptible.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. No EPSS data is available, and the vulnerability is not documented in the CISA KEV catalog. Attackers would need local access to the system to supply the crafted SVG file; no remote attack vector is described. The risk could be mitigated by ensuring only trusted users have permission to execute the rsvg command and by updating to a version where the buffer overflow has been fixed.
OpenCVE Enrichment