CVE-2018-7731

Vulnerability

A NULL pointer dereference vulnerability exists in Exempi versions up to and including 2.4.4. The flaw is located in the XMPFiles/source/FormatSupport/WEBP_Support.cpp file, specifically within the WEBP::VP8XChunk class. When parsing a specially crafted WebP bitstream, the code does not verify that a bitstream pointer is non-NULL before dereferencing it, leading to a crash or potentially exploitable memory corruption [1][2].

Exploitation

An attacker must deliver a specially crafted WebP file to the target system and entice a user or automated process to open it with Exempi. No additional authentication or network position is required; the attack vector is local file parsing. Once the malicious file is loaded, the vulnerable code path is triggered, causing a NULL pointer dereference in the WEBP::VP8XChunk handler [1].

Impact

Successful exploitation results in a denial of service (application hang or crash). The advisory notes that arbitrary code execution may be possible, though the primary impact is a crash leading to temporary unavailability of the parsing service [1].

Mitigation

Ubuntu released fixed packages in USN-3668-1 on 4 June 2018; users should update to the corrected version of exempi [1]. Fedora also issued an update; see [2] for details. If immediate patching is not possible, avoid opening untrusted WebP files with Exempi until the update can be applied.