Multiple vulnerabilities in Simple Direct Media Layer
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2019-7636 CVE-2019-7635 CVE-2019-7573 CVE-2019-7572 CVE-2019-7577 CVE-2019-7638 CVE-2019-7637 CVE-2019-7574 CVE-2019-7576 CVE-2019-7575 CVE-2019-7578 CVE-2019-12221 CVE-2019-12219 CVE-2019-12222 CVE-2019-12220 CVE-2019-12218 CVE-2019-12217 CVE-2019-12216 CVE-2019-13626 CVE-2019-13616 |
| CWE-ID | CWE-125 CWE-119 CWE-476 CWE-122 CWE-190 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #12 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #14 is available. Public exploit code for vulnerability #15 is available. Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #18 is available. Public exploit code for vulnerability #19 is available. Public exploit code for vulnerability #20 is available. |
| Vulnerable software |
Simple DirectMedia Layer Client/Desktop applications / Multimedia software |
| Vendor | zlib license |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Heap out-of-bounds read
EUVDB-ID: #VU17683
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7636
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_GetRGB function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Heap out-of-bounds read
EUVDB-ID: #VU17684
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7635
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the Blit1to4 function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Heap out-of-bounds read
EUVDB-ID: #VU17685
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7573
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the InitMS_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Heap out-of-bounds read
EUVDB-ID: #VU17686
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7572
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_nibble function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Heap out-of-bounds read
EUVDB-ID: #VU17687
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7577
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_LoadWAV_RW function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Heap out-of-bounds read
EUVDB-ID: #VU17688
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7638
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the Map1toN function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Heap out-of-bounds read
EUVDB-ID: #VU17689
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7637
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_FillRect function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Heap out-of-bounds read
EUVDB-ID: #VU17690
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7574
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Heap out-of-bounds read
EUVDB-ID: #VU17691
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7576
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the InitMS_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Heap out-of-bounds read
EUVDB-ID: #VU17692
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7575
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the MS_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Heap out-of-bounds read
EUVDB-ID: #VU17693
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7578
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the in the InitlMA_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15/25720
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Buffer overflow
EUVDB-ID: #VU19294
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12221
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary error when processing images in the SDL_free_REAL() function at stdlib/SDL_malloc.c. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Buffer overflow
EUVDB-ID: #VU19293
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12219
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary error when processing images in the SDL_SetError_REAL() function in SDL_error.c. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4625
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Out-of-bounds read
EUVDB-ID: #VU19292
Risk: Medium
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-12222
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds read in libSDL2.a due to an out-of-bounds read in the function SDL_InvalidateMap at video/SDL_pixels.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4621
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
15) Out-of-bounds read
EUVDB-ID: #VU19291
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12220
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds read in libSDL2.a due to an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4627
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
16) NULL pointer dereference
EUVDB-ID: #VU19290
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12218
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dreference error in SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c. A remote attacker can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4620
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
17) NULL pointer dereference
EUVDB-ID: #VU19289
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12217
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dreference error in SDL stdio_read function in file/SDL_rwops.c. A remote attacker can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4626
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Heap-based buffer overflow
EUVDB-ID: #VU19288
Risk: Medium
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-12216
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the IMG_LoadPCX_RW() function in IMG_pcx. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4619
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Integer overflow
EUVDB-ID: #VU19285
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-13626
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 2.0.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:2.0.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4522
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
20) Out-of-bounds read
EUVDB-ID: #VU19259
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-13616
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the "BlitNtoN" function in the "video/SDL_blit_N.c" file when called from the "SDL_SoftBlit" function in the "video/SDL_blit.c" file. A remote attacker can trick a victim to open a specially crafted file and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSimple DirectMedia Layer: 1.2.0 - 2.0.9
CPE2.3- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zlib_license:simple_directmedia_layer:1.2.2:*:*:*:*:*:*:*
https://bugzilla.libsdl.org/show_bug.cgi?id=4538
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
