CRITICAL🇵🇱 Wersja polska

CVE-2024-33078

CVSS 9.8v3.1pub. 2024-05-01upd. 2025-09-15

Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution.

🤖 AI Analysis
How it works

An attacker sends a specially crafted image file to an application using the LibPAG library. The library does not properly verify the data size while processing this file, leading to a buffer overflow in process memory (buffer overflow, CWE-680). The overflow enables overwriting critical areas of the process memory and consequently executing arbitrary code on the server side or target application.

Impact

An attacker can gain full control over the vulnerable system through remote code execution (RCE) without requiring any privileges. The confidentiality, integrity, and availability of the system are at risk.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the fix is deployed, it is recommended to restrict the ability to upload and process image files through components using the LibPAG library and to monitor network traffic anomalies.

Who is affected

Tencent LibPAG version 4.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tencent Libpag

    APP
    Tencent
    4.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2024-34408MEDIUM5.3ten sam produkt

Tencent libpag through 4.3.51 has an integer overflow in DecodeStream::checkEndOfFile() in codec/utils/DecodeS...

CVE-2026-30861CRITICAL9.9PL ✓ten sam vendor

RCE w WeKnora — command injection w walidacji konfiguracji MCP stdio

CVE-2026-30860CRITICAL9.9PL ✓ten sam vendor

RCE przez SQL Injection w Tencent WeKnora (bypass walidacji wyrażeń PostgreSQL)

CVE-2026-22688CRITICAL9.9PL ✓ten sam vendor

Command injection w Tencent WeKnora — wykonanie podprocesów przez MCP stdio

CVE-2023-30363CRITICAL9.8ten sam vendor

vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in ...