CVE-2023-40889
Description
A heap-based buffer overflow in ZBar's qr_reader_match_centers function allows attackers to execute arbitrary code via specially crafted QR codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in ZBar's qr_reader_match_centers function allows attackers to execute arbitrary code via specially crafted QR codes.
Vulnerability
Overview
CVE-2023-40889 is a heap-based buffer overflow vulnerability in the qr_reader_match_centers function of ZBar version 0.23.90 [1][2]. The flaw resides in the QR code decoding logic, where insufficient bounds checking on input data can lead to memory corruption when processing specially crafted QR codes [2].
Exploitation
An attacker can trigger the vulnerability by providing a malicious QR code either digitally (e.g., via an image file) or physically (e.g., by presenting it to a scanner using ZBar) [2]. No authentication is required, and the attack vector is local or network-adjacent depending on how the scanner is accessed. The vulnerable function is invoked during the QR code decoding process, making any application using ZBar to decode QR codes a potential target [1].
Impact
Successful exploitation could result in information disclosure or arbitrary code execution in the context of the process using ZBar [2][3]. This could allow an attacker to compromise the scanning application or the underlying system, depending on the privileges of the process.
Mitigation
As of the publication date, no official patch has been released for ZBar 0.23.90 [2]. Users are advised to monitor the ZBar repository for updates [1] and consider applying input validation or sandboxing techniques to limit exposure until a fix is available.
- GitHub - mchehab/zbar: ZBar is an open source software suite for reading bar codes from various sources, including webcams. As its development stopped in 2012, I took the task of keeping it updated with the V4L2 API. This is the main repository for it. There's a clone at at LinuxTV.org, and another one at gitlab.
- ZBar Heap-based Buffer Overflow Vulnerability - HackMD
- NVD - CVE-2023-40889
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zbarPyPI | <= 0.23.90 | — |
Affected products
8- ZBar/ZBardescription
- ghsa-coords7 versionspkg:pypi/zbarpkg:rpm/opensuse/zbar&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/zbar&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/zbar&distro=openSUSE%20Tumbleweedpkg:rpm/suse/zbar&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/zbar&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/zbar&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP4
<= 0.23.90+ 6 more
- (no CPE)range: <= 0.23.90
- (no CPE)range: < 0.23.1-150300.3.3.1
- (no CPE)range: < 0.23.1-150300.3.3.1
- (no CPE)range: < 0.23.90-5.1
- (no CPE)range: < 0.23.1-150300.3.3.1
- (no CPE)range: < 0.23.1-150300.3.3.1
- (no CPE)range: < 0.23.1-150300.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in the qr_reader_match_centers function allows writing past the end of a heap-allocated buffer when processing a specially crafted QR code."
Attack vector
An attacker crafts a malicious QR code that, when processed by the `qr_reader_match_centers` function, triggers a heap-based buffer overflow [CWE-122]. The overflow can lead to out-of-bounds writes on the heap [CWE-787], potentially corrupting adjacent memory. The attacker can deliver the malicious QR code either by providing it as a digital image input to the scanner or by printing it on a physical surface that is later scanned by a vulnerable ZBar-based scanner [ref_id=1][ref_id=2].
Affected code
The heap-based buffer overflow resides in the `qr_reader_match_centers` function of ZBar version 0.23.90. This function is part of the QR code decoding logic and is reachable when the library processes specially crafted QR code images.
What the fix does
The advisory does not include a patch diff or specific remediation code. It only identifies the vulnerable function (`qr_reader_match_centers`) and the affected version (0.23.90). Without a published fix, users must monitor the ZBar project for a patched release and apply it once available.
Preconditions
- inputThe attacker must supply a specially crafted QR code image to ZBar's decoder, either as a digital file or as a physical printed code that will be scanned.
- configThe vulnerable ZBar version 0.23.90 must be used to decode the malicious QR code.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-mhp6-jvpx-2p4mghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25LZZQJGGZRPLKTRNRNOTAFQJIPS7WRP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DC7V5YCLCPB36J2KY6WLZCABFLBRB665/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-40889ghsaADVISORY
- hackmd.io/@cspl/B1ZkFZv23ghsaWEB
- lists.debian.org/debian-lts-announce/2023/12/msg00001.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25LZZQJGGZRPLKTRNRNOTAFQJIPS7WRPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DC7V5YCLCPB36J2KY6WLZCABFLBRB665ghsaWEB
- hackmd.io/%40cspl/B1ZkFZv23mitre
News mentions
0No linked articles in our index yet.