CVE-2026-45729

Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/thorvg/thorvg/commit/159f44fd5e3d2eea1b3a70689a894e657e2bb079
https://github.com/thorvg/thorvg/pull/4387
https://github.com/thorvg/thorvg/releases/tag/v1.0.5
https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64
https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64

Configurations

No configuration.

History

02 Jun 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64 -~~	() https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64 -

01 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-01 19:16

Updated : 2026-06-02 16:16

NVD link : CVE-2026-45729

Mitre link : CVE-2026-45729

CVE.ORG link : CVE-2026-45729

JSON object : View

Products Affected

No product.

CWE

CWE-476

NULL Pointer Dereference

4.3 /10