CVE-2020-37239

## Vulnerability libbabl 0.1.62 and newer [2] implements a custom memory allocator that uses a signature field in BablAllocInfo to detect double frees. When babl_free() is called, the signature is set to a freed string; however, libc's free() overwrites this signature with its own metadata, rendering the detection ineffective [1][2][4]. This allows an attacker to call babl_free() twice on the same pointer without triggering the double free warning.

Exploitation

An attacker can exploit this by causing a double free condition. The proof-of-concept [2] demonstrates a simple program that allocates memory with babl_malloc(), frees it once, then frees it again. The second free goes undetected because the signature has been overwritten. No special privileges or user interaction are required beyond triggering the double free in an application using libbabl.

Impact

A successful double free can corrupt heap metadata, leading to memory corruption and potentially arbitrary code execution [4]. Since libbabl is used by GEGL and GIMP [3], an attacker could compromise these applications, potentially gaining the same privileges as the user running them. In network-facing scenarios, this could lead to remote code execution.

Mitigation

No official fix has been released as of the publication date. Users should monitor the babl project [1] for a patched version. Workarounds are not available; the vulnerability is inherent to the design of the double free detection mechanism.