{"id":"CVE-2023-43641","summary":"libcue vulnerable to out-of-bounds array access","details":"libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.","aliases":["GHSA-5982-x7hv-r9cj"],"modified":"2026-04-29T12:20:14.337281Z","published":"2023-10-09T21:01:04.603Z","related":["SUSE-SU-2023:4090-1","USN-6423-2","openSUSE-SU-2024:13319-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43641.json","cwe_ids":["CWE-787"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43641.json"},{"type":"ADVISORY","url":"https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43641"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5524"},{"type":"FIX","url":"https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea"},{"type":"FIX","url":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e"},{"type":"ARTICLE","url":"https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lipnitsk/libcue","events":[{"introduced":"0"},{"fixed":"fdf72c8bded8d24cfa0608b8e97f2eed210a920e"}]}],"versions":["v1.2.0","v1.3.0","v1.4.0","v2.0.0","v2.0.0-rc1","v2.0.1","v2.1.0","v2.2.0","v2.2.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-43641.json","vanir_signatures":[{"digest":{"length":181,"function_hash":"99695740332437513636388773027228342549"},"deprecated":false,"target":{"function":"track_set_index","file":"cd.c"},"source":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e","signature_version":"v1","signature_type":"Function","id":"CVE-2023-43641-48ddca8c"},{"digest":{"threshold":0.9,"line_hashes":["8756292939909018082272915497763044013","259355301010329386047062716262160322823","224357065587374711409089558417898133088","50921009255475541106831150329911720118"]},"deprecated":false,"target":{"file":"cd.c"},"source":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e","signature_version":"v1","signature_type":"Line","id":"CVE-2023-43641-7b9cb289"}],"vanir_signatures_modified":"2026-04-29T12:20:14Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}