CVE-2026-45729 | THREATINT

Description

Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-01 | Updated 2026-06-02 | Assigner GitHub_M

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Problem types

CWE-476: NULL Pointer Dereference

Product status

< 1.0.5

affected

References

github.com/...thorvg/security/advisories/GHSA-f863-8ghq-7h64 exploit

github.com/...thorvg/security/advisories/GHSA-f863-8ghq-7h64

github.com/thorvg/thorvg/pull/4387

github.com/...ommit/159f44fd5e3d2eea1b3a70689a894e657e2bb079

github.com/thorvg/thorvg/releases/tag/v1.0.5

cve.org (CVE-2026-45729)

nvd.nist.gov (CVE-2026-45729)

Download JSON