CVE-2021-44960

Vulnerability

In SVG++ library version 1.3.0, the XMLDocument::getRoot function within the renderDocument function improperly handles the XMLDocument object. Under certain conditions, it returns a null pointer at the second if statement, which is then dereferenced later in renderDocument, causing a segmentation fault. The issue is confirmed via AddressSanitizer output showing a read access to address 0x0 in rapidxml_ns::xml_base::local_name().

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted SVG file that causes XMLDocument::getRoot to return a null pointer. No authentication or special privileges are required; the victim simply needs to open the malicious SVG file with an application using the vulnerable SVG++ library.

Impact

Successful exploitation results in a null pointer dereference, leading to a denial of service (application crash). The crash is evidenced by a SEGV signal and a stack trace pointing to rapidxml_ns::xml_base::local_name(). No other impact (e.g., information disclosure or code execution) has been reported.

Mitigation

As of the publication date (2022-02-15), no fix has been released for this vulnerability. Affected users should monitor the SVG++ repository [1] for updates. The issue remains open, and no patch or workaround is available.