CVE-2019-15757

Vulnerability

In libMirage 3.2.2, the NRG parser in parser.c contains a NULL pointer dereference vulnerability. The issue occurs in the mirage_parser_nrg_build_block_index function at line 103, where memcpy is called with a pointer (cur_ptr) that can be NULL. The root cause is in mirage_parser_nrg_load_image at line 992: if reading the descriptor data fails (e.g., due to a malformed file), the error handling may lead to nrg_data being freed or left in an inconsistent state, yet the code continues to call mirage_parser_nrg_build_block_index, resulting in a NULL pointer dereference [1][2].

Exploitation

An attacker can exploit this by providing a specially crafted NRG image file that causes the descriptor data read to fail, for example by setting an invalid trailer offset. The attacker must convince a user or an application using CDemu (or any software relying on libMirage) to load the malicious image. No authentication or special privileges are required; only the ability to supply the file to the target system [1][2].

Impact

Successful exploitation leads to a denial of service condition via a crash of the application that loaded the image. The available references do not indicate any potential for arbitrary code execution or privilege escalation; the impact is limited to causing the application to terminate abnormally [1][2].

Mitigation

The vulnerability exists in libMirage version 3.2.2. As of the publication date (2019-08-29), no official patch has been released. Users should monitor for updates from the CDemu project and apply a fix when available. In the meantime, avoid opening untrusted NRG image files. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1][2].