Source: thorvg Version: 1.0.3+dfsg2-4 Severity: grave Tags: security upstream Forwarded: https://github.com/thorvg/thorvg/pull/4387 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for thorvg. CVE-2026-45729[0]: | Thor Vector Graphics (ThorVG) is a production-ready vector graphics | engine. Prior to version 1.0.5, a null pointer dereference in | SvgLoader::run() allows any caller that passes untrusted SVG data to | Picture::load() to crash the process with a 6-byte payload. This | issue has been patched in version 1.0.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45729 https://www.cve.org/CVERecord?id=CVE-2026-45729 [1] https://github.com/thorvg/thorvg/pull/4387 [2] https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64 [3] https://github.com/thorvg/thorvg/commit/599db59600aefab904fc8465bd86ac29e1de168c Regards, Salvatore
