High severity8.8NVD Advisory· Published Oct 9, 2023· Updated Jun 17, 2026
CVE-2023-43641
CVE-2023-43641
Description
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15- osv-coords13 versionspkg:deb/ubuntu/libcue@2.2.1-4ubuntu1?arch=source&distro=manticpkg:rpm/suse/libcue&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4pkg:rpm/suse/libcue&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5
< 2.2.1-4ubuntu1+ 12 more
- (no CPE)range: < 2.2.1-4ubuntu1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- (no CPE)range: < 2.1.0-150000.3.3.1
- lipnitsk/libcuev5Range: <= 2.2.1
Patches
Vulnerability mechanics
References
10- github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0eanvdPatch
- github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920envdPatch
- github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/nvdExploitThird Party Advisory
- github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cjnvdExploit
- www.debian.org/security/2023/dsa-5524nvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2023/10/msg00018.htmlnvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/nvdMailing List
- packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.htmlnvd
News mentions
0No linked articles in our index yet.