CVE-2018-1000222
Description
A double-free vulnerability in libgd's gdImageBmpPtr function allows remote code execution via a crafted JPEG image, fixed in commit ac16bdf2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in libgd's gdImageBmpPtr function allows remote code execution via a crafted JPEG image, fixed in commit ac16bdf2.
Vulnerability
Libgd version 2.2.5 contains a double-free vulnerability in the gdImageBmpPtr function. The function calls gdImageBmpCtx without checking its return value, and then calls gdDPExtractData which can trigger a double free via the trimDynamic and gdReallocDynamic chain [3]. This affects libgd 2.2.5 and possibly earlier versions; the fix is in commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted JPEG image that, when processed by an application using libgd, triggers the double-free condition. No authentication is required; the attacker only needs to entice a user or service to process the malicious image [2]. The exact sequence involves the image being decoded and then passed to gdImageBmpPtr, where the unchecked return leads to memory corruption.
Impact
Successful exploitation can result in remote code execution (RCE) or a denial of service (DoS) condition [2]. The double free can corrupt heap memory, potentially allowing an attacker to execute arbitrary code with the privileges of the process using libgd.
Mitigation
The vulnerability is fixed in libgd commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5. Gentoo recommends upgrading to >=media-libs/gd-2.2.5-r2 [2]. No workaround is available; users should update to a patched version. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23- osv-coords22 versionspkg:rpm/opensuse/gd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/php7&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/php7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweedpkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/php7&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1
< 2.3.3-1.1+ 21 more
- (no CPE)range: < 2.3.3-1.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.4.24-1.1
- (no CPE)range: < 8.0.11-1.1
- (no CPE)range: < 2.1.0-24.9.1
- (no CPE)range: < 2.2.5-4.3.1
- (no CPE)range: < 2.2.5-4.3.1
- (no CPE)range: < 2.1.0-24.9.1
- (no CPE)range: < 2.1.0-24.9.1
- (no CPE)range: < 2.1.0-24.9.1
- (no CPE)range: < 2.1.0-24.9.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.5-4.9.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
- (no CPE)range: < 7.2.34-150000.4.103.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/201903-18mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/3755-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/libgd/libgd/issues/447mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/01/msg00028.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.