VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 1, 2026

CVE-2026-45729

CVE-2026-45729

Description

Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.

Affected products

1

Patches

1
159f44fd5e3d

svg: ++robustness

https://github.com/thorvg/thorvgHermet ParkMay 12, 2026via nvd-ref
commitPR #4387
1 file changed · +3 1
  • src/loaders/svg/tvgSvgLoader.cpp+3 1 modified
    @@ -3765,6 +3765,8 @@ void SvgLoader::clear(bool all)
 
 void SvgLoader::run(unsigned tid)
 {
+    if (!ctx.parser) return;
+
     //According to the SVG standard the value of the width/height of the viewbox set to 0 disables rendering
     if ((viewFlag & SvgViewFlag::Viewbox) && (fabsf(vbox.w) <= FLOAT_EPSILON || fabsf(vbox.h) <= FLOAT_EPSILON)) {
         TVGLOG("SVG", "The <viewBox> width and/or height set to 0 - rendering disabled.");
@@ -3804,7 +3806,7 @@ void SvgLoader::run(unsigned tid)
             }
         }
     }
-    root->ref();
+    if (root) root->ref();
     clear(false);
 }

Vulnerability mechanics

Root cause

"A null pointer dereference occurs in SvgLoader::run() when processing malformed SVG input."

Attack vector

An attacker can trigger this vulnerability by providing a malformed SVG file to an application that uses ThorVG. The application calls `Picture::load()` with this untrusted data. A specifically crafted 6-byte payload is sufficient to cause the process to crash, leading to a denial of service. This impacts applications like Samsung Tizen OS, Godot Engine, and LVGL that integrate ThorVG for SVG rendering [ref_id=1].

Affected code

The vulnerability resides in the `SvgLoader::run()` function within the `src/loaders/svg/tvgSvgLoader.cpp` file. Specifically, the issue occurs because the code dereferences the `root` pointer without checking if it is null after the `svgSceneBuild()` function returns [ref_id=1].

What the fix does

The patch addresses the vulnerability by adding a null check after the `svgSceneBuild()` function call in `SvgLoader::run()`. If `svgSceneBuild()` returns null, indicating malformed input, the function now clears the context and returns early, preventing the subsequent null pointer dereference on `root->ref()` [ref_id=1].

Preconditions

  • inputThe application must accept and process untrusted SVG data via `tvg::Picture::load()`.

Reproduction

Minimal reproducer — 6 bytes:

Crash (ASAN build) ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 #0 tvg::Paint::ref() tvgPaint.cpp:439 #1 SvgLoader::run() tvgSvgLoader.cpp:3755 ← NULL deref #2 SvgLoader::header() tvgSvgLoader.cpp:3871 #3 tvg::LoaderMgr::loader() tvgLoaderMgr.cpp:335 #4 tvg::PictureImpl::load()

Confirmed in release build (no ASAN) as well: $ echo -n '<svg><' | ./app_using_thorvg Segmentation fault (core dumped) [exit 139] [ref_id=1]

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.