{"id":"CVE-2019-20446","details":"In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.","modified":"2026-03-20T11:28:59.821567Z","published":"2020-02-02T14:15:10.523Z","related":["ALSA-2020:4709","MGASA-2020-0159","SUSE-SU-2020:0604-1","SUSE-SU-2020:0629-1","SUSE-SU-2020:0629-2","openSUSE-SU-2020:0343-1","openSUSE-SU-2024:10986-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html"},{"type":"ADVISORY","url":"https://gitlab.gnome.org/GNOME/librsvg/issues/515"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221111-0004/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4436-1/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/librsvg","events":[{"introduced":"0"},{"fixed":"13fbcd136977f3e765e22181404aafa59f8d8fb3"},{"introduced":"2465e1bfc0aab8d03fb4a2c3a6b6cc110fcbde98"},{"fixed":"6c1c962f063f36b6c317e08af5af77a861e789ae"},{"introduced":"18a4f166c4faf590988823c472bd0333fcf7d1e7"},{"fixed":"d6139dc6e36714486c093a0ee8a83794d1787787"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.40.21"},{"introduced":"2.42.0"},{"fixed":"2.42.8"},{"introduced":"2.44.0"},{"fixed":"2.44.16"}]}}],"versions":["2.42.0","2.42.1","2.42.2","2.42.3","2.42.4","2.42.5","2.42.6","2.42.7","2.43.0","2.43.1","2.43.2","2.43.3","2.43.4","2.44.0","2.44.1","2.44.10","2.44.11","2.44.12","2.44.13","2.44.14","2.44.15","2.44.2","2.44.3","2.44.4","2.44.5","2.44.6","2.44.7","2.44.8","2.44.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20446.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}